CVE-2019-15271
Severity CVSS v4.0:
Pending analysis
Type:
CWE-502
Deserialization of Untrusted Dat
Publication date:
26/11/2019
Last modified:
28/10/2025
Description
A vulnerability in the web-based management interface of certain Cisco Small Business RV Series Routers could allow an authenticated, remote attacker to execute arbitrary commands with root privileges. The attacker must have either a valid credential or an active session token. The vulnerability is due to lack of input validation of the HTTP payload. An attacker could exploit this vulnerability by sending a malicious HTTP request to the web-based management interface of the targeted device. A successful exploit could allow the attacker to execute commands with root privileges.
Impact
Base Score 3.x
8.80
Severity 3.x
HIGH
Base Score 2.0
9.00
Severity 2.0
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:cisco:rv016_multi-wan_vpn_firmware:*:*:*:*:*:*:*:* | 4.2.3.10 (excluding) | |
| cpe:2.3:h:cisco:rv016_multi-wan_vpn:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:rv042_dual_wan_vpn_firmware:*:*:*:*:*:*:*:* | 4.2.3.10 (excluding) | |
| cpe:2.3:h:cisco:rv042_dual_wan_vpn:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:rv042g_dual_gigabit_wan_vpn_firmware:*:*:*:*:*:*:*:* | 4.2.3.10 (excluding) | |
| cpe:2.3:h:cisco:rv042g_dual_gigabit_wan_vpn:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:rv082_dual_wan_vpn_firmware:*:*:*:*:*:*:*:* | 4.2.3.10 (excluding) | |
| cpe:2.3:h:cisco:rv082_dual_wan_vpn:-:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page