Cyber Resilience

CVE-2021-1297

High

Published: 04 February 2021

Published
04 February 2021
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0044 63.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-1297 is a high-severity Absolute Path Traversal (CWE-36) vulnerability in Cisco Rv160W Wireless-Ac Vpn Router Firmware. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 36.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers could allow an unauthenticated, remote attacker to conduct directory traversal attacks and overwrite certain files that should be restricted on an…

more

affected system. These vulnerabilities are due to insufficient input validation. An attacker could exploit these vulnerabilities by using the web-based management interface to upload a file to location on an affected device that they should not have access to. A successful exploit could allow the attacker to overwrite files on the file system of the affected device.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

cisco
rv160w wireless-ac vpn router firmware
≤ 1.0.01.02
cisco
rv260 vpn router firmware
≤ 1.0.01.02
cisco
rv260p vpn router with poe firmware
≤ 1.0.01.02
cisco
rv260w wireless-ac vpn router firmware
≤ 1.0.01.02
cisco
rv160 vpn router firmware
≤ 1.0.01.02

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References