CVE-2023-20118

What is Cisco Small Business RV Series?

The Cisco Small Business RV Series (RV016, RV042, RV042G, RV082, RV320, RV325) are small and medium business (SMB) VPN routers designed to provide basic routing, NAT, and VPN (IPsec/SSL) functionality. These devices were widely deployed in small offices, retail locations, and branch offices as inexpensive VPN gateways and WAN edge routers. Cisco has designated all models in this series as end-of-life (EoL) — they have reached end-of-support and will not receive firmware patches for newly discovered vulnerabilities. Despite EoL status, many of these devices remain in active deployment because replacement is often deferred.

Overview

CVE-2023-20118 is a command injection vulnerability (CWE-77) in the web-based management interface of multiple Cisco Small Business RV Series routers that allows an authenticated remote attacker with administrative privileges to gain root-level code execution and access unauthorized data. Cisco published advisory cisco-sa-sbr042-multi-vuln-ej76Pke5 in April 2023 as part of a multi-vulnerability disclosure for the RV Series. CISA added CVE-2023-20118 to the KEV catalog nearly two years later, on March 3, 2025 — reflecting continued exploitation of these EoL devices long after disclosure.

The PR:H (high privilege required) constraint means exploitation requires valid administrator credentials for the web UI — but EoL network devices are often left with default or weak credentials, particularly in small business environments.

Affected Versions

Technical Details

Command injection (CWE-77) in the web management interface occurs when user-supplied input — in this case, configuration parameters submitted through the router's web-based admin UI — is passed to a shell command without adequate sanitization. An authenticated administrator who sends a crafted HTTP request to a vulnerable management endpoint can inject shell metacharacters (e.g., ;, |, `, $(...)) into a parameter that is subsequently executed in an OS command context. Because embedded device web interfaces typically run as root or with minimal privilege separation, the injected command executes with root-level privileges.

The attack flow:

1. Authenticate to the web management interface — use valid administrator credentials (or default credentials if unchanged) to log into the router's web UI
2. Submit a crafted request — send a specially crafted request to the vulnerable management endpoint containing shell command injection in the parameter value
3. Achieve root code execution — the injected shell commands execute with root privileges, providing full control over the device's operating system, VPN configuration, and network traffic

With root access on the router, an attacker can modify routing tables, capture all traversing traffic, install persistent backdoors in the router's flash storage, or use the device as a pivot point for attacks on connected networks.

Discovery

Cisco disclosed CVE-2023-20118 in April 2023 but classified the affected RV Series as EoL with no patch available for most models. The nearly two-year gap between disclosure and CISA KEV addition (March 2025) reflects the persistent deployment of these EoL devices in small business environments and the ongoing exploitation of their known-unpatched vulnerabilities.

Exploitation Context

EoL small business routers are a consistent long-tail exploitation target because:

• They remain deployed for many years after end-of-support
• Small businesses typically lack dedicated IT security staff to track vulnerability disclosures
• Default or unchanged administrator credentials are common on deployed SMB devices
• Compromised small business routers provide persistent network access that is rarely monitored or detected

The March 2025 KEV addition — nearly two years after disclosure — is a strong signal that threat actors are actively scanning for and compromising exposed RV Series routers, likely including state-sponsored actors building persistent access networks through small business infrastructure.

Remediation

1. Replace EoL devices — Cisco will not release patches for CVE-2023-20118 on these models; replacement with a supported device is the only complete remediation. Cisco recommends the RV340/RV345 series as successors.
2. Disable web management interface from internet access — restrict the web-based management UI to local LAN access only; never expose router admin interfaces to the internet.
3. Change default administrator credentials — if replacement is deferred, immediately change the default admin username and password to a strong unique credential.
4. Enable access control lists (ACLs) — configure management interface ACLs to restrict access to trusted IP addresses only.
5. Monitor for unauthorized VPN tunnels — check VPN configuration regularly for unauthorized IPsec or SSL VPN entries that may indicate persistence established after exploitation.