Cyber Resilience

CVE-2023-20118

MediumCISA KEVActive ExploitationEUVD ExploitedRCE

Published: 13 April 2023

Published
13 April 2023
Modified
28 October 2025
KEV Added
03 March 2025
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0383 88.4th percentile
Risk Priority 35 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-20118 is a medium-severity Command Injection (CWE-77) vulnerability in Cisco Rv016 Firmware. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 11.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Deeper analysis

A vulnerability in the web-based management interface of Cisco Small Business Routers RV016, RV042, RV042G, RV082, RV320, and RV325 allows an authenticated remote attacker to execute arbitrary commands on an affected device. The issue stems from improper validation of user input in incoming HTTP packets and is tracked as CWE-77. Successful exploitation grants root-level privileges and access to unauthorized data, though the attacker must possess valid administrative credentials. The CVSS 3.1 base score is 6.5.

An attacker with administrative access can send a crafted HTTP request to the management interface to trigger command execution. No unauthenticated vector exists, limiting the attack surface to accounts that already hold administrative rights on the device.

Cisco has stated it will not release software updates to address the flaw. The vendor advisory instead directs administrators to apply workarounds that disable the affected web-management feature. The vulnerability appears in CISA’s Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation.

The associated EPSS score has remained low, with a current value of 0.0383 and a peak of 0.0406.

EU & UK References

Vulnerability details

A vulnerability in the web-based management interface of Cisco Small Business Routers RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary commands on an affected device. This vulnerability is due to improper…

more

validation of user input within incoming HTTP packets. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web-based management interface. A successful exploit could allow the attacker to gain root-level privileges and access unauthorized data. To exploit this vulnerability, an attacker would need to have valid administrative credentials on the affected device. Cisco has not and will not release software updates that address this vulnerability. However, administrators may disable the affected feature as described in the Workarounds ["#workarounds"] section. {{value}} ["%7b%7bvalue%7d%7d"])}]]

CWE(s)
KEV Date Added
03 March 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

cisco
rv016 firmware
all versions
cisco
rv042 firmware
all versions
cisco
rv042g firmware
all versions
cisco
rv082 firmware
all versions
cisco
rv320 firmware
all versions
cisco
rv325 firmware
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of HTTP input to block the crafted requests that trigger command injection (CWE-77).

prevent

Enforces disabling the web management interface or affected feature exactly as Cisco's workaround prescribes when no patch exists.

prevent

Restricts network access to the management interface, reducing the attack surface for remote authenticated exploitation.

References