Three vulnerabilities have been identified by external researchers in Cisco’s RV160, RV260, RV340, and RV345 series VPN routers. An unauthenticated attacker could exploit the flaws remotely for arbitrary code execution and denial-of-service (DoS) attacks.
Two of the vulnerabilities have been assigned a ‘critical’ severity rating. One of them, CVE-2022-20842, affects the routers’ web-based management interface and is caused by insufficient user input validation. An attacker can exploit the weakness by sending specially crafted HTTP requests to the targeted device. Successful exploitation can result in arbitrary code being executed on the underlying operating system (OS) with root privileges, or the targeted device entering a DoS condition.