CVE-2022-20705

Name of the Vulnerable Software and Affected Versions Cisco Small Business RV160, RV160W, RV260, RV260P, RV260W, RV340, RV340W, RV345, RV345P (affected versions not specified)

Description The issue is related to weaknesses in the authentication procedure of the web interface of the affected routers. This could allow a remote attacker to gain partial administrative privileges and perform unauthorized actions. The vulnerability may also enable an attacker to execute arbitrary code, elevate privileges, execute arbitrary commands, bypass authentication and authorization protections, fetch and run unsigned software, or cause a denial of service (DoS).

Recommendations For Cisco Small Business RV160, RV160W, RV260, RV260P, RV260W, RV340, RV340W, RV345, RV345P, consider disabling the web interface until a patch is available. Restrict access to the upload.cgi endpoint to minimize the risk of exploitation. Avoid using the sessionid variable in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.