The United States Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent advice, warning that a critical command injection vulnerability in the RV series routers of Cisco Small Business series tracked as CVE-2023-20118 is actively exploited in nature.
The defect, which carries a CVSS score of 6.5, has been added to the known CISA exploited vulnerabilities catalog (KEV), which leads to federal agencies to remedy it under the binding operational directive (BOD) 22-01.
Private organizations are also urged to prioritize mitigation, since non -flashing routers run the risk of giving access to attackers at the root level to confidential networks.
Vulnerability of Cisco Small Business Routers
Vulnerability lies in the web -based administration interface The end of Cisco’s life (EOL) RV016, RV042, RV042G, RV082, RV320 and RV325 routers.
It is derived from the incorrect validation of the user’s entry into the HTTP (CWE-77) packages, allowing authenticated attackers to execute arbitrary commands with root privileges.
Exploitation requires administrative credentials, but committed credentials or internal threats could allow threat actors:
- Inject malicious useful loads through HTTP applications designed.
- Avoid authorization controls to access unauthorized data.
- Persist within the networks for lateral movement or exfiltration of data.
Cisco confirmed that the routers will not receive patches due to their EOL state, leaving approximately 50,000 devices worldwide.
Although ransomware campaigns have not yet been related to the defect, CISA emphasized its “significant risk” potential with critical infrastructure.
Mitigation strategies
Cisco rImmediate ecoming Steps to reduce attack surfaces:
- Disable the remote management in the RV320 and RV325 routers.
- Block 443 and 60443 ports in the RV016, RV042, RV042G and RV082 models.
These measures restrict access to the web interface to local networks, but do not eliminate vulnerability.
Organizations that depend on these routers face a marked option: segments networks to limit exposure or replace hardware with compatible models such as the RV340/RV345 series.
Federal agencies limited by Bod 22-01 must comply within 21 days, but private entities that lack mandatory timelines regulatory risk and liabilities by breach if exploitation occurs.
The entrance of the Kev catalog of Cisa underlines the urgency, pointing out that the inclusion of the failure reflects “evidence of active exploitation”.
CVE-2023-20118 highlights the systemic risks raised by the hardware inherited in operational environments. Despite Cisco notices in 2022 for similar failures in RV340/RV345 rhiners, many organizations continue to use EOL devices due to the cost or operational inertia.
This incident reflects past incidents, such as the 2024 XSS fault (CVE-2024-20362) in the same series of routers, which also lacked patches.
“Organizations must use the KEV catalog as a contribution for their vulnerability management prioritization framework,” CISA aggregate.
With CVE-2023-20118 now armed, organizations must reassess the uncompatible hardware dependence. Cybersecurity teams must:
- Audit networks for affected Cisco RV routers.
- Comply with strict access controls and network segmentation.
- Monitor records for anomalous requests http a /login.cgi or the final points of administration.
As the threat actors are increasingly directed to edge devices, such as routers, compliance with CISA’s requirements is no longer optional but rather a necessary component of modern cybersecurity.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.