{ "CVE_data_meta" : { "ASSIGNER" : "psirt@cisco.com", "DATE_PUBLIC" : "2019-02-27T16:00:00-0800", "ID" : "CVE-2019-1663", "STATE" : "PUBLIC", "TITLE" : "Cisco RV110W, RV130W, and RV215W Routers Management Interface Remote Command Execution Vulnerability" }, "affects" : { "vendor" : { "vendor_data" : [ { "product" : { "product_data" : [ { "product_name" : "RV110W Wireless-N VPN Firewall", "version" : { "version_data" : [ { "affected" : "<", "version_value" : "1.2.2.1" } ] } }, { "product_name" : "RV130W Wireless-N Multifunction VPN Router", "version" : { "version_data" : [ { "affected" : "<", "version_value" : "1.0.3.45" } ] } }, { "product_name" : "RV215W Wireless-N VPN Router", "version" : { "version_data" : [ { "affected" : "<", "version_value" : "1.3.1.1" } ] } } ] }, "vendor_name" : "Cisco" } ] } }, "data_format" : "MITRE", "data_type" : "CVE", "data_version" : "4.0", "description" : { "description_data" : [ { "lang" : "eng", "value" : "A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. The vulnerability is due to improper validation of user-supplied data in the web-based management interface. An attacker could exploit this vulnerability by sending malicious HTTP requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system of the affected device as a high-privilege user. RV110W Wireless-N VPN Firewall versions prior to 1.2.2.1 are affected. RV130W Wireless-N Multifunction VPN Router versions prior to 1.0.3.45 are affected. RV215W Wireless-N VPN Router versions prior to 1.3.1.1 are affected." } ] }, "exploit" : [ { "lang" : "eng", "value" : "Security researchers announced the discovery of this vulnerability, without any technical details or mention of the affected products, at the GeekPwn Shanghai conference on October 24-25, 2018. " } ], "impact" : { "cvss" : { "baseScore" : "9.8", "vectorString" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ", "version" : "3.0" } }, "problemtype" : { "problemtype_data" : [ { "description" : [ { "lang" : "eng", "value" : "CWE-119" } ] } ] }, "references" : { "reference_data" : [ { "name" : "20190227 Cisco RV110W, RV130W, and RV215W Routers Management Interface Remote Command Execution Vulnerability", "refsource" : "CISCO", "url" : "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190227-rmi-cmd-ex" }, { "name" : "107185", "refsource" : "BID", "url" : "http://www.securityfocus.com/bid/107185" } ] }, "source" : { "advisory" : "cisco-sa-20190227-rmi-cmd-ex", "defect" : [ [ "CSCvn18638", "CSCvn18639", "CSCvn18642" ] ], "discovery" : "INTERNAL" } }