CVE-2021-1200 – This vulnerability allows authenticated remote ... (How to Fix)

Q: What is the severity of CVE-2021-1200?

CVE-2021-1200 has a CVSS score of 7.2 (HIGH). This vulnerability allows authenticated remote attackers to execute arbitrary code as root or cause denial of service on affected Cisco Small Business routers. Attackers need valid administrator credentials to exploit these input validation flaws in the web management interface. Organizations using Cisco RV110W, RV130, RV130W, or RV215W routers are affected.

📋 TL;DR

This vulnerability allows authenticated remote attackers to execute arbitrary code as root or cause denial of service on affected Cisco Small Business routers. Attackers need valid administrator credentials to exploit these input validation flaws in the web management interface. Organizations using Cisco RV110W, RV130, RV130W, or RV215W routers are affected.

💻 Affected Systems

Products:

Cisco RV110W
Cisco RV130
Cisco RV130W
Cisco RV215W

Versions: All versions prior to advisory publication

Operating Systems: Cisco IOS-based firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations with web management interface enabled are vulnerable. Requires authenticated access with admin credentials.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise with root-level arbitrary code execution, allowing full control of the router and potential lateral movement into connected networks.

🟠

Likely Case

Denial of service through device reboots disrupting network connectivity, with potential for authenticated attackers to gain persistent access.

🟢

If Mitigated

Limited impact if strong authentication controls prevent unauthorized access to admin credentials and web interface is not exposed.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires valid admin credentials but involves simple HTTP request crafting once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: None available

Vendor Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-overflow-WUnUgv4U

Restart Required: No

Instructions:

No official patch available. Cisco has not released software updates. Consider workarounds or replacement.

🔧 Temporary Workarounds

Disable Web Management Interface

all

Disable the web-based management interface to prevent HTTP-based exploitation

Use CLI: no ip http server
no ip http secure-server

Restrict Management Access

all

Limit management interface access to specific trusted IP addresses only

access-list 1 permit [trusted_ip]
ip http access-class 1

🧯 If You Can't Patch

Replace affected routers with supported models that receive security updates
Implement network segmentation to isolate vulnerable routers from critical systems

🔍 How to Verify

Check if Vulnerable:

Check router model and firmware version via web interface or CLI 'show version' command

Check Version:

show version

Verify Fix Applied:

Verify web interface is disabled or access is restricted to specific IPs only

📡 Detection & Monitoring

Log Indicators:

Multiple failed authentication attempts followed by successful login
Unusual HTTP POST requests to management interface
Device reboot logs without scheduled maintenance

Network Indicators:

HTTP traffic to router management interface from unexpected sources
Multiple device reboots in short timeframes

SIEM Query:

source="router_logs" (event_type="authentication" AND result="success") OR (event_type="http_request" AND uri="/admin/*")

📊 Metadata

CVE ID: CVE-2021-1200

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-121

Published: January 13, 2021

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-1200, you might also want to check these: