Cisco has warned of a highly critical remote code execution (RCE) vulnerability in the web-based VPN management interface of Cisco RV110W, RV130W, and RV215W Routers.
Cisco network admins should note this RCE vulnerability CVE-2019-1663 is rated critical and has a CVSS score of 9.8 (10 being the highest).
The RCE vulnerability impacts the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router and Cisco RV215W Wireless-N VPN Routers. Remote unauthenticated attackers could exploit the bug and execute arbitrary code on an affected device.
Cisco provided a summary of the threat in an advisory on Wednesday:
“The vulnerability is due to improper validation of user-supplied data in the web-based management interface. An attacker could exploit this vulnerability by sending malicious HTTP requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system of the affected device as a high-privilege user.”
Cisco has provided software updates to fix the vulnerability. Patches should be applied as soon as possible.