The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent advisory, warning that a critical command injection vulnerability in Cisco Small Business RV Series Routers tracked as CVE-2023-20118 is being actively exploited in the wild.
The flaw, which carries a CVSS score of 6.5, has been added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog, compelling federal agencies to remediate it under Binding Operational Directive (BOD) 22-01.
Private organizations are also urged to prioritize mitigation, as unpatched routers risk granting attackers root-level access to sensitive networks.
.png
)
Cisco Small Business Routers Vulnerability
The vulnerability resides in the web-based management interface of Cisco’s end-of-life (EoL) RV016, RV042, RV042G, RV082, RV320, and RV325 routers.
It stems from improper validation of user input in HTTP packets (CWE-77), allowing authenticated attackers to execute arbitrary commands with root privileges.
Exploitation requires administrative credentials, but compromised credentials or insider threats could enable threat actors to:
- Inject malicious payloads via crafted HTTP requests.
- Bypass authorization controls to access unauthorized data.
- Persist within networks for lateral movement or data exfiltration.
Cisco confirmed the routers will not receive patches due to their EoL status, leaving an estimated 50,000 devices globally exposed.
While no ransomware campaigns have been linked to the flaw yet, CISA emphasized its potential for “significant risk” to critical infrastructure.
Mitigation Strategies
Cisco recommends immediate steps to reduce attack surfaces:
- Disable remote management on RV320 and RV325 routers.
- Block ports 443 and 60443 on RV016, RV042, RV042G, and RV082 models.
These measures restrict access to the web interface to local networks but do not eliminate the vulnerability.
Organizations reliant on these routers face a stark choice: segment networks to limit exposure or replace hardware with supported models like the RV340/RV345 series.
Federal agencies bound by BOD 22-01 must comply within 21 days, but private entities lacking mandated timelines risk regulatory penalties and breach liabilities if exploitation occurs.
CISA’s KEV Catalog entry underscores the urgency, noting the flaw’s inclusion reflects “evidence of active exploitation.”
CVE-2023-20118 highlights systemic risks posed by legacy hardware in operational environments. Despite Cisco’s 2022 advisories for similar flaws in RV340/RV345 routers, many organizations continue using EoL devices due to cost or operational inertia.
This incident mirrors past incidents, such as the 2024 XSS flaw (CVE-2024-20362) in the same router series, which also lacked patches.
“Organizations should use the KEV catalog as an input to their vulnerability management prioritization framework,” CISA added.
With CVE-2023-20118 now weaponized, organizations must reassess reliance on unsupported hardware. Cybersecurity teams should:
- Audit networks for affected Cisco RV routers.
- Enforce strict access controls and network segmentation.
- Monitor logs for anomalous HTTP requests to /login.cgi or /admin endpoints.
As threat actors increasingly target edge devices such as routers, adherence to CISA’s requirements is no longer optional but rather a necessary component of modern cybersecurity.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
