CVE-2023-20118
published 2023-04-13CVE-2023-20118: A vulnerability in the web-based management interface of Cisco Small Business Routers RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an…
PriorityP184high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-03-24
Exploited in the wild
EPSS
53.83%
98.9th percentile
A vulnerability in the web-based management interface of Cisco Small Business Routers RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary commands on an affected device.
This vulnerability is due to improper validation of user input within incoming HTTP packets. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web-based management interface. A successful exploit could allow the attacker to gain root-level privileges and access unauthorized data. To exploit this vulnerability, an attacker would need to have valid administrative credentials on the affected device.
Cisco has not and will not release software updates that address this vulnerability. However, administrators may disable the affected feature as described in the Workarounds ["#workarounds"] section.
{{value}} ["%7b%7bvalue%7d%7d"])}]]
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cisco | cisco_small_business_rv_series_router_firmware | — | — |
| cisco | cisco_small_business_rv_series_router_firmware | — | — |
| cisco | cisco_small_business_rv_series_router_firmware | — | — |
| cisco | cisco_small_business_rv_series_router_firmware | — | — |
| cisco | cisco_small_business_rv_series_router_firmware | — | — |
| cisco | cisco_small_business_rv_series_router_firmware | — | — |
| cisco | cisco_small_business_rv_series_router_firmware | — | — |
| cisco | cisco_small_business_rv_series_router_firmware | — | — |
| cisco | cisco_small_business_rv_series_router_firmware | — | — |
| cisco | cisco_small_business_rv_series_router_firmware | — | — |
| cisco | cisco_small_business_rv_series_router_firmware | — | — |
| cisco | cisco_small_business_rv_series_router_firmware | — | — |
| cisco | cisco_small_business_rv_series_router_firmware | — | — |
| cisco | cisco_small_business_rv_series_router_firmware | — | — |
| cisco | cisco_small_business_rv_series_router_firmware | — | — |
| cisco | cisco_small_business_rv_series_router_firmware | — | — |
| cisco | cisco_small_business_rv_series_router_firmware | — | — |
| cisco | cisco_small_business_rv_series_router_firmware | — | — |
| cisco | small_business_rv016_rv042_rv042g_rv082_rv320_and_rv325_routers | — | — |
Detection & IOCsextracted from sources · hover to see the quote
path/cgi-bin/config_mirror.exp
path/cgi-bin/config.exp
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cisco Small Business Router RV Series Command Injection (CVE-2023-20118) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/config_mirror.exp|3f|"; fast_pattern; content:"_cert"; distance:0; pcre:"/^[^\s]*?[\x3b\x60\x7c\x24]/R"; reference:url,www.iotsec-zone.com/article/383; reference:cve,2023-20118; classtype:web-application-attack; sid:2060432; rev:1;)
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cisco Small Business Router RV Series Command Injection (CVE-2023-20118) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/config.exp|3f|"; fast_pattern; content:"_cert"; distance:0; pcre:"/^[^\s]*?[\x3b\x60\x7c\x24]/R"; reference:url,www.iotsec-zone.com/article/383; reference:cve,2023-20118; classtype:web-application-attack; sid:2060433; rev:1;)
- →Exploit traffic uses HTTP POST method targeting CGI endpoints; look for POST requests to /cgi-bin/config_mirror.exp or /cgi-bin/config.exp with a query string (URL-encoded '?', i.e. |3f|) followed by a '_cert' parameter containing shell metacharacters (semicolon 0x3b, backtick 0x60, pipe 0x7c, dollar sign 0x24).
- →The vulnerability is in the web-based management interface; exploitation requires sending a crafted HTTP request. Monitoring inbound HTTP/HTTPS to the router management interface for the above CGI paths is the primary detection surface. ↗
- →Successful exploitation grants root-level privileges; post-exploitation indicators should include unexpected root-level process spawning from the web server/CGI process on affected Cisco RV-series devices. ↗
- →CVE-2023-20118 is listed in CISA KEV as actively exploited; prioritize detection and hunting on internet-exposed Cisco RV016, RV042, RV042G, RV082, RV320, and RV325 management interfaces. ↗
- ·Exploitation requires valid administrative credentials; detections should be correlated with authentication events to reduce false positives from legitimate admin activity. ↗
- ·The Snort/ET rules are tagged for TLS-decrypted traffic (tls_state TLSDecrypt); without SSL inspection in the detection pipeline, the rules will not fire on HTTPS management sessions.
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vulncheck6.5MEDIUM
cisa7.2HIGH
vendor_cisco9.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Cisco Small Business RV Series Routers Command Injection Vulnerability
cisa·2025-03-03·CVSS 7.2
CVE-2023-20118 [HIGH] CWE-77 Cisco Small Business RV Series Routers Command Injection Vulnerability
Vulnerability: Cisco Small Business RV Series Routers Command Injection Vulnerability
Affected: Cisco Small Business RV Series Routers
Multiple Cisco Small Business RV Series Routers contains a command injection vulnerability in the web-based management interface. Successful exploitation could allow an authenticated, remote attacker to gain root-level privileges and access unauthorized data.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sbr042-multi-vuln-ej76Pke5 ; https://nvd.nist.gov/vuln/detail/CVE-2023-20118
Remediation Due Date: 2025-03-24
Cisco
Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers Vulnerabilities
vendor_cisco·2023-01-11·CVSS 9.0
CVE-2023-20025 [CRITICAL] CWE-293 Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers Vulnerabilities
Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers Vulnerabilities
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow a remote attacker to bypass authentication or execute arbitrary commands on the underlying operating system of an affected device.
For more information about these vulnerabilities, see the Details section of this advisory.
Cisco has not released software updates to address the vulnerabilities described in this advisory. There are no workarounds that address these vulnerabilities.
This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sbr042-multi-vuln-ej76Pke5
Cisco
Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers Vulnerabilities
vendor_cisco·CVSS 3.1
CVE-2023-20118 [MEDIUM] Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers Vulnerabilities
CVE-2023-20118: Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers Vulnerabilities
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow a remote attacker to bypass authentication or execute arbitrary commands on the underlying operating system of an affected device. For more information about these vulnerabilities, see the
Severity: medium
CVSS: 3.1
CWE: CWE-293, CWE-77, CWE-293, CWE-77
Bug IDs: CSCwd47551, CSCwd60199, CSCwe41652, CSCwd47551, CSCwd60199
GHSA
GHSA-gr43-pwpc-mp54: A vulnerability in the web-based management interface of Cisco Small Business Routers RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allo
ghsa_unreviewed·2023-04-13
CVE-2023-20118 [HIGH] CWE-20 GHSA-gr43-pwpc-mp54: A vulnerability in the web-based management interface of Cisco Small Business Routers RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allo
A vulnerability in the web-based management interface of Cisco Small Business Routers RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary commands on an affected device.
This vulnerability is due to improper validation of user input within incoming HTTP packets. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web-based management interface. A successful exploit could allow the attacker to gain root-level privileges and access unauthorized data. To exploit this vulnerability, an attacker would need to have valid administrative credentials on the affected device.
Cisco has not and will not release software updates that address this vulnerability.
VulnCheck
Cisco Small Business RV Series Routers Command Injection Vulnerability
vulncheck·2023·CVSS 6.5
CVE-2023-20118 [MEDIUM] CWE-77 Cisco Small Business RV Series Routers Command Injection Vulnerability
Cisco Small Business RV Series Routers Command Injection Vulnerability
Multiple Cisco Small Business RV Series Routers contains a command injection vulnerability in the web-based management interface. Successful exploitation could allow an authenticated, remote attacker to gain root-level privileges and access unauthorized data.
Affected: Cisco Small Business RV Series Routers
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://blog.sekoia.io/polaredge-unveiling-an-uncovered-iot-botnet/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://hivepro.com/threat-advisory/polaredge-botnet-t
Suricata
ET WEB_SPECIFIC_APPS Cisco Small Business Router RV Series Command Injection (CVE-2023-20118) M1
suricata·2025-02-27·CVSS 6.5
CVE-2023-20118 [MEDIUM] ET WEB_SPECIFIC_APPS Cisco Small Business Router RV Series Command Injection (CVE-2023-20118) M1
ET WEB_SPECIFIC_APPS Cisco Small Business Router RV Series Command Injection (CVE-2023-20118) M1
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cisco Small Business Router RV Series Command Injection (CVE-2023-20118) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/config_mirror.exp|3f|"; fast_pattern; content:"_cert"; distance:0; pcre:"/^[^\s]*?[\x3b\x60\x7c\x24]/R"; reference:url,www.iotsec-zone.com/article/383; reference:cve,2023-20118; classtype:web-application-attack; sid:2060432; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_02_27, cve CVE_2023_20118, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at
Suricata
ET WEB_SPECIFIC_APPS Cisco Small Business Router RV Series Command Injection (CVE-2023-20118) M2
suricata·2025-02-27·CVSS 6.5
CVE-2023-20118 [MEDIUM] ET WEB_SPECIFIC_APPS Cisco Small Business Router RV Series Command Injection (CVE-2023-20118) M2
ET WEB_SPECIFIC_APPS Cisco Small Business Router RV Series Command Injection (CVE-2023-20118) M2
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cisco Small Business Router RV Series Command Injection (CVE-2023-20118) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/config.exp|3f|"; fast_pattern; content:"_cert"; distance:0; pcre:"/^[^\s]*?[\x3b\x60\x7c\x24]/R"; reference:url,www.iotsec-zone.com/article/383; reference:cve,2023-20118; classtype:web-application-attack; sid:2060433; rev:1; metadata:affected_product Cisco_RV_Series, attack_target Server, tls_state TLSDecrypt, created_at 2025_02_27, cve CVE_2023_20118, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Maj
No public exploits indexed.
Checkpoint
10th March – Threat Intelligence Report
blogs_checkpoint·2025-03-10
CVE-2025-22224 10th March – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 10th March – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 10th March, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
The City of Mission, Texas, has declared a local state of emergency following a severe cybersecurity incident that threatens to expose protected personal information, health records, and other critical data managed by city departments. The emergency declaration was issued by Mayor Norie Gonzalez Garza on March 4, 2025, after
Bleepingcomputer
Cisco warns of Webex for BroadWorks flaw exposing credentials
blogs_bleepingcomputer·2025-03-04·CVSS 6.5
[MEDIUM] Cisco warns of Webex for BroadWorks flaw exposing credentials
## Cisco warns of Webex for BroadWorks flaw exposing credentials
## Sergiu Gatlan
Cisco warned customers today of a vulnerability in Webex for BroadWorks that could let unauthenticated attackers access credentials remotely.
Webex for BroadWorks integrates Cisco Webex's video conferencing and collaboration features with the BroadWorks unified communications platform.
While the company has yet to assign a CVE ID to track this security issue, Cisco says in a Tuesday security advisory that it already pushed a configuration change to address the flaw and advised customers to restart their Cisco Webex app to get the fix.
"A low-severity vulnerability in Cisco Webex for BroadWorks Release 45.2 could allow an unauthenticated, remote attacker to access data and credentials if unsecure transpor
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sbr042-multi-vuln-ej76Pke5https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sbr042-multi-vuln-ej76Pke5https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-20118
2023-04-13
Published
2025-03-03
Added to CISA KEV
Exploited in the wild