Cyber Resilience

CVE-2021-1291

Critical

Published: 04 February 2021

Published
04 February 2021
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0187 83.5th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-1291 is a critical-severity External Control of Assumed-Immutable Web Parameter (CWE-472) vulnerability in Cisco Rv160W Wireless-Ac Vpn Router Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 16.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers could allow an unauthenticated, remote attacker to execute arbitrary code as the root user on an affected device. These vulnerabilities exist…

more

because HTTP requests are not properly validated. An attacker could exploit these vulnerabilities by sending a crafted HTTP request to the web-based management interface of an affected device. A successful exploit could allow the attacker to remotely execute arbitrary code on the device.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

cisco
rv160w wireless-ac vpn router firmware
≤ 1.0.01.02
cisco
rv260 vpn router firmware
≤ 1.0.01.02
cisco
rv260p vpn router with poe firmware
≤ 1.0.01.02
cisco
rv260w wireless-ac vpn router firmware
≤ 1.0.01.02
cisco
rv160 vpn router firmware
≤ 1.0.01.02

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References