August 4, 2022
Cisco Patches 2 Critical RCE Vulnerabilities Impacting VPN routers
Cisco has patched critical security vulnerabilities that allowed unauthenticated remote attackers to execute arbitrary code or commands and cause denial of service (DoS) conditions on vulnerable devices.
The vulnerabilities were discovered in the web-based management interfaces and the web filter database update feature, and are both caused by insufficient input validation.
- CVE-2022-20842 (CVSS score: 9.8) -Cisco Small Business RV Series Routers Remote Code Execution and Denial of Service Vulnerability
- CVE-2022-20827 (CVSS score: 9.0) – Cisco Small Business RV Series Routers Web Filter Database Update Command Injection Vulnerability.
- RV340 and RV345 Series Routers 1.0.03.26 and earlier
- RV160 and RV260 Series Routers Earlier than 1.0.01.05
- RV160 and RV260 Series Routers 1.0.01.05
- RV340 and RV345 Series Routers Earlier than 1.0.03.26
- RV340 and RV345 Series Routers 1.0.03.26
CYREBRO recommends updating Cisco VPN routers to an appropriate fixed software release.
References: Cisco Advisory.