Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-1602

A vulnerability in the web-based management interface of Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. This vulnerability is due to insufficient user input validation. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface. A successful exploit could allow the attacker to execute arbitrary commands on an affected device using root-level privileges. Due to the nature of the vulnerability, only commands without parameters can be executed.

Published

2021-08-04T18:15:08.787

Last Modified

2024-11-21T05:44:43.223

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 8.2 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: COMPLETE
Integrity Impact: COMPLETE
Availability Impact: COMPLETE

Exploitability Score

10.0

Impact Score

10.0

Weaknesses

Type: Secondary
CWE-78
Type: Primary
CWE-20
CWE-78

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Operating System	cisco	small_business_rv_series_router_firmware	< 1.0.01.04	Yes
Hardware	cisco	small_business_rv160	-	No
Hardware	cisco	small_business_rv160w	-	No
Hardware	cisco	small_business_rv260	-	No
Hardware	cisco	small_business_rv260p	-	No
Hardware	cisco	small_business_rv260w	-	No

References

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-code-execution-9UVJr7k4 Vendor Advisory ([email protected])
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-code-execution-9UVJr7k4 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)