The network equipment giant Cisco has released a new patch for its routers to fix the critical issues on their network equipment. The vulnerable devices belong to Cisco’s Small Business RV Series router family. The CVSS scores of the vulnerabilities are between 5.3 and 10.0; so it is necessary to apply the patches immediately.
No workarounds for mitigation
The vulnerabilities affect Cisco’s RV160, RV260, RV340, and RV345 router families
The company has released an article that contains information about the flaws and the related devices. Cisco states that exploiting some of the vulnerabilities is dependent on one another. That means attackers must abuse a chain of flaws to exploit the router, but not all of them are dependent on another. Network giant also adds that there are no workarounds to mitigate the flaws that are listed below.
Here is the list of the vulnerabilities and the related devices:
CVE-2022-20700, CVE-2022-20701, CVE-2022-20702, CVE-2022-20703, CVE-2022-20704, CVE-2022-20705, CVE-2022-20706, CVE-2022-20710, CVE-2022-20712 affect the following Cisco routers:
- RV160 VPN Routers
- RV160W Wireless-AC VPN Routers
- RV260 VPN Routers
- RV260P VPN Routers with PoE
- RV260W Wireless-AC VPN Routers
- RV340 Dual WAN Gigabit VPN Routers
- RV340W Dual WAN Gigabit Wireless-AC VPN Routers
- RV345 Dual WAN Gigabit VPN Routers
- RV345P Dual WAN Gigabit POE VPN Routers
CVE-2022-20699, CVE-2022-20707, CVE-2022-20708, CVE-2022-20709, CVE-2022-20711, CVE-2022-20749 affect the following Cisco routers:
- RV340 Dual WAN Gigabit VPN Routers
- RV340W Dual WAN Gigabit Wireless-AC VPN Routers
- RV345 Dual WAN Gigabit VPN Routers
- RV345P Dual WAN Gigabit POE VPN Routers
By using those vulnerabilities, it is possible to execute arbitrary code, elevate privileges, execute arbitrary commands, bypass authentication/authorization protections, fetch and run unsigned software, and cause a denial of service.