Cisco has patched numerous critical security vulnerabilities impacting its RV Collection routers that could be weaponized to elevate privileges and execute arbitrary code on influenced units, while also warning of the existence of evidence-of-concept (PoC) exploit code focusing on some of these bugs.
3 of the 15 flaws, tracked as CVE-2022-20699, CVE-2022-20700, and CVE-2022-20707, have the optimum CVSS score of 10., and influence its Compact Business RV160, RV260, RV340, and RV345 Series routers.
In addition, the flaws could be exploited to bypass authentication and authorization protections, retrieve and operate unsigned software package, and even induce denial-of-service (DoS) problems.
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
The networking equipment maker acknowledged that it is really “knowledgeable that proof-of-idea exploit code is accessible for quite a few of the vulnerabilities” but did not share any even further particulars on the mother nature of the exploit or the identification of the menace actors that may well be exploiting them.
CVE-2022-20699 considerations a situation of remote code execution that could be exploited by an attacker by sending specially crafted HTTP requests to a machine that features as an SSL VPN Gateway, successfully primary to the execution of malicious code with root privileges.
CVE-2022-20700, CVE-2022-20701 (CVSS rating: 9.), and CVE-2022-20702 (CVSS rating: 6.), which the enterprise reported stems from an insufficient authorization enforcement mechanism, could be abused to elevate privileges to root and execute arbitrary commands on the influenced program.
CVE-2022-20707, the 3rd flaw to receive a 10. rating on the CVSS scale, is because of to inadequate validation of consumer-supplied enter, enabling the adversary to inject destructive commands and get them on the fundamental Linux functioning technique.
Other flaws preset by Cisco are as follows:
- CVE-2022-20703 (CVSS score: 9.3) – Cisco Tiny Small business RV Sequence Routers Electronic Signature Verification Bypass Vulnerability
- CVE-2022-20704 (CVSS score: 4.8) – Cisco Modest Business enterprise RV Sequence Routers SSL Certificate Validation Vulnerability
- CVE-2022-20705 (CVSS score: 5.3) – Cisco Tiny Business enterprise RV Collection Routers Inappropriate Session Administration Vulnerability
- CVE-2022-20706 (CVSS score: 8.3) – Cisco RV Collection Routers Open up Plug and Enjoy Command Injection Vulnerability
- CVE-2022-20708 and CVE-2022-20749 (CVSS scores: 7.3) – Cisco RV340, RV340W, RV345, and RV345P Twin WAN Gigabit VPN Routers Command Injection Vulnerabilities
- CVE-2022-20709 (CVSS score: 5.3) – Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers Arbitrary File Add Vulnerability
- CVE-2022-20710 (CVSS rating: 5.3) – Cisco Small Company RV Series Routers GUI Denial of Company Vulnerability
- CVE-2022-20711 (CVSS score: 8.2) – Cisco RV340, RV340W, RV345, and RV345P Twin WAN Gigabit VPN Routers Arbitrary File Overwrite Vulnerability
- CVE-2022-20712 (CVSS score: 7.3) – Cisco Compact Business RV Sequence Routers Add Module Remote Code Execution Vulnerability
Cisco also pressured that there are no workarounds that address these aforementioned weaknesses, urging consumers to the most current edition of the computer software as quickly as feasible to counter any prospective attacks.
Discovered this short article exciting? Stick to THN on Facebook, Twitter and LinkedIn to study more exceptional material we put up.
Some pieces of this report are sourced from:
thehackernews.com