CVE-2019-15271
published 2019-11-26CVE-2019-15271: A vulnerability in the web-based management interface of certain Cisco Small Business RV Series Routers could allow an authenticated, remote attacker to…
PriorityP186high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-06-22
Exploited in the wild
EPSS
5.98%
92.4th percentile
A vulnerability in the web-based management interface of certain Cisco Small Business RV Series Routers could allow an authenticated, remote attacker to execute arbitrary commands with root privileges. The attacker must have either a valid credential or an active session token. The vulnerability is due to lack of input validation of the HTTP payload. An attacker could exploit this vulnerability by sending a malicious HTTP request to the web-based management interface of the targeted device. A successful exploit could allow the attacker to execute commands with root privileges.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cisco | cisco_small_business_rv_series_router_firmware | >= unspecified < n/a | n/a |
| cisco | rv016_multi-wan_vpn_firmware | < 4.2.3.10 | 4.2.3.10 |
| cisco | rv042_dual_wan_vpn_firmware | < 4.2.3.10 | 4.2.3.10 |
| cisco | rv042g_dual_gigabit_wan_vpn_firmware | < 4.2.3.10 | 4.2.3.10 |
| cisco | rv082_dual_wan_vpn_firmware | < 4.2.3.10 | 4.2.3.10 |
| cisco | small_business_rv016_rv042_rv042g_and_rv082_routers | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit vector targets the web-based management interface via a malicious HTTP request with unsanitized payload — monitor for anomalous or unexpected HTTP POST/GET requests to the RV series router management interface, particularly those containing serialized data or shell metacharacters in parameters. ↗
- →Root-level command execution is the outcome of successful exploitation — alert on unexpected processes spawned by the web server process (e.g., httpd) on Cisco RV016, RV042, RV042G, and RV082 devices. ↗
- →The vulnerability is rooted in deserialization of untrusted data (CWE-502) — inspect HTTP payloads directed at the management interface for serialized Java/PHP objects or other deserialization gadget chains. ↗
- →Authentication bypass is not required but a valid session token is sufficient — monitor for session token reuse or credential stuffing attempts against the management interface prior to exploitation. ↗
- →Cisco Bug IDs CSCvq95596, CSCvq97028, and CSCvq97031 are associated with this CVE — use these identifiers when querying Cisco TAC logs or PSIRT feeds for affected firmware versions. ↗
- ·Exploitation requires authentication (valid credential or active session token) — this is an authenticated RCE, not unauthenticated. Detection rules should account for the pre-authentication step. ↗
- ·Affected devices are specifically Cisco Small Business RV016, RV042, RV042G, and RV082 routers — scope detection and patching efforts to these models only. ↗
- ·No workarounds exist for this vulnerability — the only remediation is applying vendor-supplied software updates. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
vendor_cisco8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Cisco RV Series Routers Deserialization of Untrusted Data Vulnerability
cisa·2022-06-08·CVSS 8.8
CVE-2019-15271 [HIGH] CWE-502 Cisco RV Series Routers Deserialization of Untrusted Data Vulnerability
Vulnerability: Cisco RV Series Routers Deserialization of Untrusted Data Vulnerability
Affected: Cisco RV Series Routers
A deserialization of untrusted data vulnerability in the web-based management interface of certain Cisco Small Business RV Series Routers could allow an attacker to execute code with root privileges.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2019-15271
Remediation Due Date: 2022-06-22
Cisco
Cisco Small Business RV016, RV042, RV042G, and RV082 Routers Arbitrary Command Execution Vulnerability
vendor_cisco·2019-11-06·CVSS 8.8
CVE-2019-15271 [HIGH] CWE-502 Cisco Small Business RV016, RV042, RV042G, and RV082 Routers Arbitrary Command Execution Vulnerability
Cisco Small Business RV016, RV042, RV042G, and RV082 Routers Arbitrary Command Execution Vulnerability
A vulnerability in the web-based management interface of certain Cisco Small Business RV Series Routers could allow an authenticated, remote attacker to execute arbitrary commands with root privileges. The attacker must have either a valid credential or an active session token.
The vulnerability is due to lack of input validation of the HTTP payload. An attacker could exploit this vulnerability by sending a malicious HTTP request to the web-based management interface of the targeted device. A successful exploit could allow the attacker to execute commands with root privileges.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this
Cisco
Cisco Small Business RV016, RV042, RV042G, and RV082 Routers Arbitrary Command Execution Vulnerability
vendor_cisco·CVSS 3.0
CVE-2019-15271 Cisco Small Business RV016, RV042, RV042G, and RV082 Routers Arbitrary Command Execution Vulnerability
CVE-2019-15271: Cisco Small Business RV016, RV042, RV042G, and RV082 Routers Arbitrary Command Execution Vulnerability
A vulnerability in the web-based management interface of certain Cisco Small Business RV Series Routers could allow an authenticated, remote attacker to execute arbitrary commands with root privileges. The attacker must have either a valid credential or an active session token. The vulnerability is due to lack of input validation of the HTTP payload. An attacker could exploit this vulnerability by sending a malicious HTTP request to the web-based management interface of the targeted device. A successful exploit could allow the attacker to execute commands with root privileges. Cisco has released software updates that address this vulnerability. There are no
CVSS: 3.0
CWE:
GHSA
GHSA-87q2-rr35-r6c9: A vulnerability in the web-based management interface of certain Cisco Small Business RV Series Routers could allow an authenticated, remote attacker
ghsa_unreviewed·2022-05-24
CVE-2019-15271 [HIGH] CWE-502 GHSA-87q2-rr35-r6c9: A vulnerability in the web-based management interface of certain Cisco Small Business RV Series Routers could allow an authenticated, remote attacker
A vulnerability in the web-based management interface of certain Cisco Small Business RV Series Routers could allow an authenticated, remote attacker to execute arbitrary commands with root privileges. The attacker must have either a valid credential or an active session token. The vulnerability is due to lack of input validation of the HTTP payload. An attacker could exploit this vulnerability by sending a malicious HTTP request to the web-based management interface of the targeted device. A successful exploit could allow the attacker to execute commands with root privileges.
VulnCheck
Cisco RV Series Routers Deserialization of Untrusted Data Vulnerability
vulncheck·2019·CVSS 8.8
CVE-2019-15271 [HIGH] CWE-502 Cisco RV Series Routers Deserialization of Untrusted Data Vulnerability
Cisco RV Series Routers Deserialization of Untrusted Data Vulnerability
A deserialization of untrusted data vulnerability in the web-based management interface of certain Cisco Small Business RV Series Routers could allow an attacker to execute code with root privileges.
Affected: Cisco RV Series Routers
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cisa.gov/uscert/ncas/alerts/aa22-158a; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://cisa.gov/news-events/cybersecurity-advisories/aa22-158a
Remediation Due: 2022-06-22
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2019-11-26
Published
2022-06-08
Added to CISA KEV
Exploited in the wild