cbcvebase.
CVE-2023-20118
published 2023-04-13

CVE-2023-20118: A vulnerability in the web-based management interface of Cisco Small Business Routers RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an…

PriorityP184high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-03-24
Exploited in the wild
EPSS
53.83%
98.9th percentile
A vulnerability in the web-based management interface of Cisco Small Business Routers RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary commands on an affected device. This vulnerability is due to improper validation of user input within incoming HTTP packets. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web-based management interface. A successful exploit could allow the attacker to gain root-level privileges and access unauthorized data. To exploit this vulnerability, an attacker would need to have valid administrative credentials on the affected device. Cisco has not and will not release software updates that address this vulnerability. However, administrators may disable the affected feature as described in the Workarounds ["#workarounds"] section. {{value}} ["%7b%7bvalue%7d%7d"])}]]

Affected

19 ranges
VendorProductVersion rangeFixed in
ciscocisco_small_business_rv_series_router_firmware
ciscocisco_small_business_rv_series_router_firmware
ciscocisco_small_business_rv_series_router_firmware
ciscocisco_small_business_rv_series_router_firmware
ciscocisco_small_business_rv_series_router_firmware
ciscocisco_small_business_rv_series_router_firmware
ciscocisco_small_business_rv_series_router_firmware
ciscocisco_small_business_rv_series_router_firmware
ciscocisco_small_business_rv_series_router_firmware
ciscocisco_small_business_rv_series_router_firmware
ciscocisco_small_business_rv_series_router_firmware
ciscocisco_small_business_rv_series_router_firmware
ciscocisco_small_business_rv_series_router_firmware
ciscocisco_small_business_rv_series_router_firmware
ciscocisco_small_business_rv_series_router_firmware
ciscocisco_small_business_rv_series_router_firmware
ciscocisco_small_business_rv_series_router_firmware
ciscocisco_small_business_rv_series_router_firmware
ciscosmall_business_rv016_rv042_rv042g_rv082_rv320_and_rv325_routers

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/config_mirror.exp
path/cgi-bin/config.exp
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cisco Small Business Router RV Series Command Injection (CVE-2023-20118) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/config_mirror.exp|3f|"; fast_pattern; content:"_cert"; distance:0; pcre:"/^[^\s]*?[\x3b\x60\x7c\x24]/R"; reference:url,www.iotsec-zone.com/article/383; reference:cve,2023-20118; classtype:web-application-attack; sid:2060432; rev:1;)
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cisco Small Business Router RV Series Command Injection (CVE-2023-20118) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/config.exp|3f|"; fast_pattern; content:"_cert"; distance:0; pcre:"/^[^\s]*?[\x3b\x60\x7c\x24]/R"; reference:url,www.iotsec-zone.com/article/383; reference:cve,2023-20118; classtype:web-application-attack; sid:2060433; rev:1;)
  • Exploit traffic uses HTTP POST method targeting CGI endpoints; look for POST requests to /cgi-bin/config_mirror.exp or /cgi-bin/config.exp with a query string (URL-encoded '?', i.e. |3f|) followed by a '_cert' parameter containing shell metacharacters (semicolon 0x3b, backtick 0x60, pipe 0x7c, dollar sign 0x24).
  • The vulnerability is in the web-based management interface; exploitation requires sending a crafted HTTP request. Monitoring inbound HTTP/HTTPS to the router management interface for the above CGI paths is the primary detection surface.
  • Successful exploitation grants root-level privileges; post-exploitation indicators should include unexpected root-level process spawning from the web server/CGI process on affected Cisco RV-series devices.
  • CVE-2023-20118 is listed in CISA KEV as actively exploited; prioritize detection and hunting on internet-exposed Cisco RV016, RV042, RV042G, RV082, RV320, and RV325 management interfaces.
  • ·Exploitation requires valid administrative credentials; detections should be correlated with authentication events to reduce false positives from legitimate admin activity.
  • ·The Snort/ET rules are tagged for TLS-decrypted traffic (tls_state TLSDecrypt); without SSL inspection in the detection pipeline, the rules will not fire on HTTPS management sessions.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vulncheck6.5MEDIUM
cisa7.2HIGH
vendor_cisco9.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.