CVE-2023-20118
Published: 13 April 2023
Summary
CVE-2023-20118 is a medium-severity Command Injection (CWE-77) vulnerability in Cisco Rv016 Firmware. Its CVSS base score is 6.5 (Medium).
Operationally, ranked in the top 11.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Deeper analysis
A vulnerability in the web-based management interface of Cisco Small Business Routers RV016, RV042, RV042G, RV082, RV320, and RV325 allows an authenticated remote attacker to execute arbitrary commands on an affected device. The issue stems from improper validation of user input in incoming HTTP packets and is tracked as CWE-77. Successful exploitation grants root-level privileges and access to unauthorized data, though the attacker must possess valid administrative credentials. The CVSS 3.1 base score is 6.5.
An attacker with administrative access can send a crafted HTTP request to the management interface to trigger command execution. No unauthenticated vector exists, limiting the attack surface to accounts that already hold administrative rights on the device.
Cisco has stated it will not release software updates to address the flaw. The vendor advisory instead directs administrators to apply workarounds that disable the affected web-management feature. The vulnerability appears in CISA’s Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation.
The associated EPSS score has remained low, with a current value of 0.0383 and a peak of 0.0406.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-24297
Vulnerability details
A vulnerability in the web-based management interface of Cisco Small Business Routers RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary commands on an affected device. This vulnerability is due to improper…
more
validation of user input within incoming HTTP packets. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web-based management interface. A successful exploit could allow the attacker to gain root-level privileges and access unauthorized data. To exploit this vulnerability, an attacker would need to have valid administrative credentials on the affected device. Cisco has not and will not release software updates that address this vulnerability. However, administrators may disable the affected feature as described in the Workarounds ["#workarounds"] section. {{value}} ["%7b%7bvalue%7d%7d"])}]]
- CWE(s)
- KEV Date Added
- 03 March 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of HTTP input to block the crafted requests that trigger command injection (CWE-77).
Enforces disabling the web management interface or affected feature exactly as Cisco's workaround prescribes when no patch exists.
Restricts network access to the management interface, reducing the attack surface for remote authenticated exploitation.