Cisco RV110W, RV130W, and RV215W Routers Command Shell Injection Vulnerability

A vulnerability in the command-line interface (CLI) command parser of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router could allow an authenticated, local attacker to inject arbitrary shell commands that are executed by the device. The commands are executed with full administrator privileges.

The vulnerability is due to insufficient input validation of user-controlled input parameters entered at the CLI. An attacker could exploit this vulnerability by authenticating to the device and submitting crafted input parameters to certain commands. A successful exploit could allow an authenticated attacker to execute arbitrary shell commands or scripts on the affected device.

Cisco has released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available.

This advisory is available at the following link:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160803-rv110_130w1[“https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160803-rv110_130w1”]