Cisco has patched a number of important safety vulnerabilities impacting its RV Collection routers that may very well be weaponized to raise privileges and execute arbitrary code on affected techniques, whereas additionally warning of the existence of proof-of-concept (PoC) exploit code concentrating on a few of these bugs.
Three of the 15 flaws, tracked as CVE-2022-20699, CVE-2022-20700, and CVE-2022-20707, carry the very best CVSS ranking of 10.0, and have an effect on its Small Enterprise RV160, RV260, RV340, and RV345 Collection routers.
Moreover, the issues may very well be exploited to bypass authentication and authorization protections, retrieve and run unsigned software program, and even trigger denial-of-service (DoS) situations.
The networking gear maker acknowledged that it is “conscious that proof-of-concept exploit code is on the market for a number of of the vulnerabilities” however did not share any additional specifics on the character of the exploit or the identification of the menace actors that could be exploiting them.
CVE-2022-20699 issues a case of distant code execution that may very well be exploited by an attacker by sending specifically crafted HTTP requests to a tool that capabilities as an SSL VPN Gateway, successfully resulting in the execution of malicious code with root privileges.
CVE-2022-20700, CVE-2022-20701 (CVSS rating: 9.0), and CVE-2022-20702 (CVSS rating: 6.0), which the corporate stated stems from an inadequate authorization enforcement mechanism, may very well be abused to raise privileges to root and execute arbitrary instructions on the affected system.
CVE-2022-20707, the third flaw to obtain a ten.0 rating on the CVSS scale, is because of inadequate validation of user-supplied enter, enabling the adversary to inject malicious instructions and get them on the underlying Linux working system.
Different flaws fastened by Cisco are as follows:
- CVE-2022-20703 (CVSS rating: 9.3) – Cisco Small Enterprise RV Collection Routers Digital Signature Verification Bypass Vulnerability
- CVE-2022-20704 (CVSS rating: 4.8) – Cisco Small Enterprise RV Collection Routers SSL Certificates Validation Vulnerability
- CVE-2022-20705 (CVSS rating: 5.3) – Cisco Small Enterprise RV Collection Routers Improper Session Administration Vulnerability
- CVE-2022-20706 (CVSS rating: 8.3) – Cisco RV Collection Routers Open Plug and Play Command Injection Vulnerability
- CVE-2022-20708 and CVE-2022-20749 (CVSS scores: 7.3) – Cisco RV340, RV340W, RV345, and RV345P Twin WAN Gigabit VPN Routers Command Injection Vulnerabilities
- CVE-2022-20709 (CVSS rating: 5.3) – Cisco RV340, RV340W, RV345, and RV345P Twin WAN Gigabit VPN Routers Arbitrary File Add Vulnerability
- CVE-2022-20710 (CVSS rating: 5.3) – Cisco Small Enterprise RV Collection Routers GUI Denial of Service Vulnerability
- CVE-2022-20711 (CVSS rating: 8.2) – Cisco RV340, RV340W, RV345, and RV345P Twin WAN Gigabit VPN Routers Arbitrary File Overwrite Vulnerability
- CVE-2022-20712 (CVSS rating: 7.3) – Cisco Small Enterprise RV Collection Routers Add Module Distant Code Execution Vulnerability
Cisco additionally careworn that there are not any workarounds that deal with these aforementioned weaknesses, urging prospects to replace to the newest model of the software program as quickly as attainable to counter any potential assaults.