Critical vulnerability in web interface Cisco VPN routers

A critical vulnerability in Cisco VPN routers makes it possible for attackers to completely take over the remote devices or have them rebooted, causing a denial-of-service, the network manufacturer that released security updates to fix the problem warns. The vulnerability, designated CVE-2022-20842, is present in the web interface of Cisco Small Business RV routers RV340, RV340W, RV345, and RV345P. The web interface does not appear to properly monitor user input. By sending a specially crafted http packet, an unauthenticated attacker can execute arbitrary code with root privileges, meaning complete control of the device. The impact of the vulnerability is rated on a scale of 1 to 10 with a 9.8. In addition, Cisco has also released an update for another critical vulnerability (CVE-2022-20827) that resides in the web filter database of several models of VPN routers (RV160, RV160W, RV260, RV260P, RV260W, RV340, RV340W, RV345 and RV345P). This vulnerability also allows an unauthenticated attacker to remotely execute arbitrary code with root privileges. The impact score is rated slightly lower with a 9.0. Cisco is calling on organizations to install the updates made available.