Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers Command Injection Vulnerabilities

Vulnerability

The web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers contains multiple command injection vulnerabilities, tracked as CVE-2023-20128. These flaws exist due to insufficient validation of user-supplied input. An authenticated attacker with Administrator credentials can inject arbitrary commands. All firmware versions of RV320 and RV325 devices are affected [1]. Cisco has not released software updates to address these vulnerabilities [1].

Exploitation

To exploit these vulnerabilities, the attacker must have valid Administrator credentials for the targeted device. The attacker sends specially crafted malicious input via the web-based management interface. The input is not properly sanitized, allowing injection of operating system commands. No user interaction beyond the attacker's own actions is required, and the attack can be carried out remotely over the network [1].

Impact

Successful exploitation allows the attacker to execute arbitrary commands on the underlying Linux operating system of the affected device with root privileges. This results in full compromise of the router, including the ability to read or modify all data, install malware, pivot to internal networks, and disrupt operations [1].

Mitigation

As of the April 2025 publication date, Cisco has not released software updates to fix these vulnerabilities. There are no available workarounds. The devices are likely end-of-life or end-of-support. Organizations should consider replacing affected RV320 and RV325 routers with supported models. If replacement is not immediately possible, restrict remote management access to trusted IPs only and ensure strong, unique admin passwords are used [1].