Vulnerabilities > CVE-2019-15271 - Deserialization of Untrusted Data vulnerability in Cisco products

CVSS 9.0 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

low complexity

cisco

CWE-502

critical

NVD

Published: 2019-11-26

Updated: 2019-12-11

Summary

A vulnerability in the web-based management interface of certain Cisco Small Business RV Series Routers could allow an authenticated, remote attacker to execute arbitrary commands with root privileges. The attacker must have either a valid credential or an active session token. The vulnerability is due to lack of input validation of the HTTP payload. An attacker could exploit this vulnerability by sending a malicious HTTP request to the web-based management interface of the targeted device. A successful exploit could allow the attacker to execute commands with root privileges.

Vulnerable Configurations

Part	Description	Count
OS	Cisco Cisco Rv016 Multi WAN VPN Firmware * Cisco Rv042 Dual WAN VPN Firmware * Cisco Rv042G Dual Gigabit WAN VPN Firmware * Cisco Rv082 Dual WAN VPN Firmware *	4
Hardware	Cisco Cisco Rv016 Multi WAN VPN - Cisco Rv042 Dual WAN VPN - Cisco Rv042G Dual Gigabit WAN VPN - Cisco Rv082 Dual WAN VPN -	4

Common Weakness Enumeration (CWE)

CWE-502 - Deserialization of Untrusted Data

References

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191106-sbrv-cmd-x