CISA Alerts on Active Exploitation of Cisco Small Business Router Flaw

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent warning on March 3, 2025, about actively exploiting a critical command injection vulnerability (CVE-2023-20118) affecting end-of-life Cisco Small Business RV Series Routers.

The flaw, which carries a CVSSv3.1 score of 6.5, enables authenticated attackers to execute arbitrary commands with root privileges, potentially compromising entire networks.

Vulnerability Details and Exploitation

CVE-2023-20118 stems from improper validation of user-supplied HTTP input in the routers’ web-based management interface.

Attackers with valid administrative credentials can craft malicious HTTP requests to bypass security controls, inject commands, and gain unauthorized access to sensitive data or disrupt services.

Cisco confirmed the vulnerability impacts RV016, RV042, RV042G, RV082, RV320, and RV325 models running firmware versions released before April 2023.

Notably, the company has stated it will not release patches, as these devices have reached end-of-life status.

CISA’s advisory highlights that federal agencies must either apply mitigations or discontinue use of affected routers by March 24, 2025, under Binding Operational Directive (BOD) 22-01.

Private organizations are also urged to prioritize remediation, as French cybersecurity firm Sekoia recently observed exploitation attempts linked to the PolarEdge botnet campaign.

This botnet aims to co-opt vulnerable routers into distributed denial-of-service (DDoS) networks or leverage them as entry points for lateral movement.

Risks and Mitigation Challenges

The absence of vendor-supplied patches complicates mitigation. Administrators are advised to:

1. Immediately restrict administrative access to the routers’ management interfaces.
2. Monitor logs for unusual HTTP activity, particularly unauthorized command execution attempts.
3. Consider decommissioning affected devices in favor of supported models.

CISA emphasized that continued use of unpatched routers poses “significant risks to critical infrastructure,” given their prevalence in small business and remote work environments. 

The agency’s alert follows Shadowserver Foundation reports of escalating exploitation attempts since August 2024, though full scope remains unclear.

This incident underscores the dangers of relying on obsolete hardware in enterprise networks.

With Cisco’s RV Series routers widely deployed since the early 2010s, many organizations now face urgent hardware refresh decisions.

Cybersecurity experts warn that delayed action could lead to ransomware attacks, data breaches, or operational downtime,

As threat actors increasingly target legacy systems, CISA’s advisory is a stark reminder to align vulnerability management practices with evolving threats.

For now, network administrators must weigh the cost of new infrastructure against the growing risks of maintaining vulnerable devices.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.