This Metasploit module exploits an authentication bypass (CVE-2021-1472) and command injection (CVE-2021-1473) in the Cisco Small Business RV series of VPN/routers. The device does not adequately verify the credentials in the HTTP Authorization field when requests are made to the /upload endpoint. Then the upload.cgi binary will use the contents of the HTTP Cookie field as part of a curl request aimed at an internal endpoint. The curl request is executed using popen and allows the attacker to inject commands via the Cookie field. A remote and unauthenticated attacker using this module is able to achieve code execution as www-data. This module affects the RV340, RV340w, RV345, and RV345P using firmware versions 1.0.03.20 and below.
d5c273af97dd2e97fb770967821e9b90847b04e11e1abb75510669721ee38b45
Cisco RV-series routers suffer from an authentication bypass vulnerability. The RV34X series are also affected by a command injection vulnerability in the sessionid cookie, when requesting the /upload endpoint. A combination of these issues would allow any person who is able to communicate with the web interface to run arbitrary system commands on the router as the www-data user. Vulnerable versions include RV16X/RV26X versions 1.0.01.02 and below and RV34X versions 1.0.03.20 and below.
f3c8685d841186aca43bc22f8ed2b32e8512c7730129f2ed6fe20f360378fa91