Cisco on Wednesday released patches to address eight security vulnerabilities, three of which could allow an unauthenticated attacker to achieve remote code execution (RCE) or cause a denial of service (DoS) condition on affected devices.
The most critical of the flaws affects Cisco’s small business RV160, RV260, RV340, and RV345 Series routers. Tracked as CVE-2022-20842 (CVSS score: 9.8), the vulnerability stems from insufficient validation of user-supplied input in the web-based device management interface.
“An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device,” Cisco said in its advisory. “A successful exploit could allow an attacker to execute arbitrary code as a root user on the underlying operating system or cause the device to reboot, resulting in a DoS condition.”
The second flaw relates to a command injection vulnerability in the routers’ web filtering database update feature (CVE-2022-20827, CVSS score: 9.0), which could be used by an adversary to inject and execute arbitrary commands on the underlying operating system. With root rights.
The third router-related flaw to be addressed (CVE-2022-20841, CVSS score: 8.0) is also a command injection flaw in the Open Plug-n-Play (PnP) module that can be exploited by sending malicious input to achieve code execution on a target Linux host. .
“To exploit this vulnerability, an attacker would need to use a man-in-the-middle or have an authenticated foot on a special network device connected to the affected router,” the network equipment maker explained.
Also listed by Cisco are five moderate security flaws affecting Webex Meetings, Identity Services Engine, Unified Communications Manager, and Broadworks Application Delivery Platform.
The company has not provided any solutions to fix the problems, there is no evidence that these weaknesses are used in the wild. That said, customers are advised to move quickly to implement improvements.
