Cisco RV110W, RV130W, and RV215W Routers Denial of Service Vulnerability

Vulnerability

The vulnerability resides in the guest_logout.cgi endpoint on Cisco RV110W, RV130W, and RV215W routers [1][2]. This endpoint, used for disconnecting guest network clients, lacks authentication checks, allowing any unauthenticated HTTP request to trigger a device disconnection. Affected firmware versions are those running on the listed hardware; the exact version range is not specified in the references, but the advisory notes that only these three product lines are vulnerable [2].

Exploitation

An unauthenticated, remote attacker can send a crafted HTTP POST request to /guest_logout.cgi with parameters cip (client IP) and cmac (client MAC address) to disconnect a known client from the guest network [1]. The attacker must first obtain the client's IP and MAC address; another vulnerability (CVE-2019-1899) on the same devices can be used to enumerate connected device information [1]. A proof-of-concept command is provided in reference [1] as: curl -vv -d "submit_button=status_guestnet.asp&change_action=&submit_type=&gui_action=&cip=10.0.1.100&cmac=10:08:B1:A0:82:29" -H "Content-Type: application/x-www-form-urlencoded" -X POST http://10.0.0.1/guest_logout.cgi

Impact

Successful exploitation allows the attacker to deny service to specific clients connected to the guest network [1][2]. The attacker can disconnect individual clients at will, causing a targeted denial-of-service condition. No authentication or prior access is required, and the attack can be performed remotely over the network.

Mitigation

As of the advisory date, Cisco has released fixed software versions for the affected products; customers should consult the Cisco bug ID (listed in the advisory) to identify the appropriate patched firmware for their device [2]. No workarounds are available [2]. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.