#VU98035 Improper Neutralization of Expression/Command Delimiters in Cisco Systems, Inc products - CVE-2024-20470
Published: October 4, 2024
Vulnerability identifier: #VU98035
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-20470
CWE-ID: CWE-146
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Cisco RV340 Dual WAN Gigabit VPN Router
Cisco RV340W Dual WAN Gigabit Wireless-AC VPN Router
Cisco RV345 Dual WAN Gigabit VPN Router
RV345P Dual WAN Gigabit PoE VPN Router
Cisco RV340 Dual WAN Gigabit VPN Router
Cisco RV340W Dual WAN Gigabit Wireless-AC VPN Router
Cisco RV345 Dual WAN Gigabit VPN Router
RV345P Dual WAN Gigabit PoE VPN Router
Software vendor:
Cisco Systems, Inc
Cisco Systems, Inc
Description
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to the web-based management interface does not sufficiently validate user-supplied input. A remote administrator can send a specially crafted HTTP request and execute arbitrary code as the root user on the underlying operating system.
Remediation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.