The network giant hasn’t revealed when this code will appear.
Six of the other vulnerabilities have a high rating, meaning they scored between 7.0 and 8.9 on the CVSS.Ĭisco has updated the software for the RV340 and RV345 series, but the RV160 and RV260 are eagerly awaiting their patches. CVE-2022-20708 The third 10/10 bug allows command injection, and if an attacker sends the right input to a device, they can run arbitrary commands on the underlying Linux operating system.Ĭisco’s advisory lists 15 CVEs, with two more classified as critical: the 9.3/10 CVE-2022-20703 and the 9/10 CVE-2022-20701.CVE-2022-20700 A privilege escalation bug that exists thanks to what Cisco describes as “inadequate authorization enforcement mechanisms.” Backdoor conspiracy theorists, this is for you – because Cisco says, “An attacker could exploit these vulnerabilities by sending specific commands to an affected device.” CVE-2022-20701 and CVE-2022-20702, rated 9/10 and 6/10, also have rights escalation powers.An attacker sending malicious HTTP requests could run code with root privileges. CVE-2022-20699 This is the remote code execution bug and exists due to insufficient boundary checks when processing certain HTTP requests.
If that’s not enough to worry about, the boxes can also be tricked into creating DDoS attacks. Made to retrieve and run unsigned software.bypassing authentication and authorization protections.The bugs affect the RV160, RV260, RV340 and RV345 products, all of which can be abused with: And patches are only available for two of the affected areas. Cisco has uncovered five critical flaws, three of which have a 10/10 rating on the Common Vulnerability Scoring System, affecting four of its router family targeted at small businesses.