Cisco has patched two critical security vulnerabilities affecting their Small Business VPN routers. These vulnerabilities, tracked as CVE-2022-20842 and CVE-2022-20827, could allow an attacker to execute arbitrary code as the root user on the system or cause the device to reload, causing a Denial-of-Service condition.
Both vulnerabilities are caused by insufficient input validation in various components of the routers. The CVE-2022-20842 vulnerability exists in the web-based management interface of the router, while the CVE-2022-20827 vulnerability exists in the web filter database update feature. With specifically crafted input, both vulnerabilities can be exploited to execute code and commands on the device as the root user, making it so any code maliciously executed will do so under the highest privileges available on the device. CVE-2022-20842 can also be used to forcibly reload the router, causing a Denial-of-Service on the device. Both exploits are also achievable remotely without requiring authentication, making them significantly easier to perform.
There has been no reported in-the-wild exploitation for either of these vulnerabilities; however, threat actors commonly develop exploits shortly after patches are released, so it is likely that attacks will start occurring.