- 173/2022
- Critical
Cisco has released a security update to fix vulnerabilities across multiple products. The remote attacker could exploit some of these vulnerabilities to take control of the affected system.
The severity of the addressed vulnerabilities could allow the attackers to perform several attacks like bypassing security restrictions, cross-site scripting, frame hijacking attack, obtaining sensitive information, denial of service (DOS), sending a crafted HTTP request to the affected software to allow the attacker to delete arbitrary files from the affected system, executing arbitrary codes and commands leading to complete compromise of the vulnerable system.
The impacted products:
- RV160 VPN Routers
- RV160W Wireless-AC VPN Routers
- RV260 VPN Routers
- RV260P VPN Routers with PoE
- RV260W Wireless-AC VPN Routers
- RV340 Dual WAN Gigabit VPN Routers
- RV340W Dual WAN Gigabit Wireless-AC VPN Routers
- RV345 Dual WAN Gigabit VPN Routers
- RV345P Dual WAN Gigabit POE VPN Routers
- Cisco Webex Meetings
- Cisco BroadWorks Application Delivery Platform
- Cisco Identity Service Engine (ISE)
- Cisco Unified CM
- Cisco Unified CM SME
Sample of the addressed vulnerabilities:
- Cisco Small Business RV Series Routers code execution (CVE-2022-20842):
- CVSS: 9.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Access
- Cisco BroadWorks Application Delivery Platform Software cross-site scripting
- CVSS: 6.1
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Consequences: Cross-Site Scripting
Vulnerabilities
- CVE-2022-20842
- CVE-2022-20827
- CVE-2022-20841
- CVE-2022-20869
- CVE-2022-20852
- CVE-2022-20820
- CVE-2022-20816
- CVE-2022-20914
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.
https://tools.cisco.com/security/center/publicationListing.x?