CISA warns of active exploitation of end-of-life Cisco RV Routers
Take action: If you are running Cisco RV series routers, make sure their management interfaces are isolated from the internet and accessible only from trusted networks. Warn all router admins of phishing and malware/infostealer risks as entry point. Ideally, replace these routers with supported devices ASAP.
Learn More
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning about active exploitation of a command injection vulnerability affecting end-of-life Cisco Small Business RV Series Routers.
Thr security flaw, tracked as CVE-2023-20118 (CVSS score 6.5), allows authenticated attackers to execute arbitrary commands with root privileges, potentially leading to complete network compromise. The vulnerability stems from improper validation of user-supplied HTTP input in the web-based management interface of affected routers.
While it requires valid administrative credentials, this can still be achieved by chaining the CVE-2023-20025 (CVSS score 10) authentication bypass, which provides root privileges.
Attackers with valid administrative credentials can craft malicious HTTP requests that bypass security controls, inject commands, and gain unauthorized access to sensitive data or disrupt services. Cisco has confirmed that this vulnerability impacts multiple router models including:
- RV016
- RV042
- RV042G
- RV082
- RV320
- RV325
These vulnerabilities affect devices running firmware versions released before April 2023. Cisco has stated it will not release patches for these affected devices as they have reached end-of-life status.
French cybersecurity firm Sekoia has observed exploitation attempts linked to the PolarEdge botnet campaign, which aims to incorporate vulnerable routers into distributed denial-of-service (DDoS) botnet or use them as entry points for lateral movement within targeted networks.
The Shadowserver Foundation has reported escalating exploitation attempts since August 2024, though the full scope of affected organizations remains unclear.
Federal agencies must either implement mitigations or discontinue use of affected routers by March 24, 2025. CISA strongly recommends that private organizations also prioritize remediation efforts.
Administrators are advised to restrict administrative access to the routers' management interfaces and Consider decommissioning affected devices and replacing them with supported models.
