CVE-2019-1652

HIGH KEV

Cisco RV320 and RV325 Firmware 1.4.2.15-1.4.2.21 - Authenticated Remote Code Execution via HTTP POST Request

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2019-1652 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 3, 2022. EIP tracks 4 public exploits from researchers including Metasploit, RedTeam Pentesting, 0x27, including a Metasploit module exploits/linux/http/cisco_rv32x_rce.

AI-analyzed exploit summary This Metasploit module exploits CVE-2019-1653 (info disclosure) and CVE-2019-1652 (command injection) to achieve unauthenticated RCE on Cisco RV320/RV325 routers. It downloads credentials via config export, logs in, and injects a command via certificate generation.

Description

A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an authenticated, remote attacker with administrative privileges on an affected device to execute arbitrary commands. The vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending malicious HTTP POST requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux shell as root. Cisco has released firmware updates that address this vulnerability.

Exploits (4)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotehardware
https://www.exploit-db.com/exploits/46655

This Metasploit module exploits CVE-2019-1653 (info disclosure) and CVE-2019-1652 (command injection) to achieve unauthenticated RCE on Cisco RV320/RV325 routers. It downloads credentials via config export, logs in, and injects a command via certificate generation.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Cisco RV320 and RV325 routers (older firmware)
No auth needed
Prerequisites: Network access to the router's web interface (port 8007 or 443) · Vulnerable firmware version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by RedTeam Pentesting · textwebappshardware
https://www.exploit-db.com/exploits/46243

This exploit demonstrates a command injection vulnerability in the Cisco RV320 router's web-based certificate generator feature. The vulnerability allows attackers with administrative access to execute arbitrary commands via the 'common_name' parameter in an HTTP POST request.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Cisco RV320 Dual Gigabit WAN VPN Router (versions 1.4.2.15 and later)
Auth required
Prerequisites: Valid session cookie for the router's web interface · Network access to the router
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 227 stars
by 0x27 · infoleak
https://github.com/0x27/CiscoRV320Dump

This repository contains functional exploit code for CVE-2019-1652 and CVE-2019-1653, targeting Cisco RV320/RV325 routers. It includes scripts for dumping configurations, debug data, decrypting diagnostic files, and achieving post-authentication RCE via command injection.

Classification
Working Poc 100%
Attack Type
Rce, Info Leak, Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Cisco RV320/RV325 routers (firmware versions affected by CVE-2019-1652/1653)
Auth required
Prerequisites: Network access to the target device · Valid credentials (or ability to extract them via config dump)
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC NORMAL
by RedTeam Pentesting GmbH, Philip Huppert, Benjamin Grap · rubypoclinux
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/cisco_rv32x_rce.rb

This Metasploit module exploits CVE-2019-1652, a command injection vulnerability in Cisco RV320 and RV325 routers, combined with CVE-2019-1653 (information disclosure) to achieve unauthenticated remote code execution. It downloads the router's configuration to extract credentials, logs in, and injects a malicious command via the certificate generation page.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Cisco RV320 and RV325 routers
No auth needed
Prerequisites: Network access to the router's web interface (port 8007 or 443) · Router must be running vulnerable firmware
devstral-2 · analyzed Apr 22, 2026 Full analysis →

References (9)

Core 9
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/46243/
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/106728
Exploit, Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2019/Mar/61
Exploit, Mailing List, Third Party Advisory mailing-list x_refsource_bugtraq
https://seclists.org/bugtraq/2019/Mar/55
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/152262/Cisco-RV320-Command-Injection.html
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/46655/

Scores

CVSS v3 7.2
EPSS 0.9273
EPSS Percentile 99.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2022-03-03
VulnCheck KEV 2020-03-25
InTheWild.io 2019-01-29
ENISA EUVD EUVD-2019-10209
CWE
CWE-78 CWE-20
Status published
Products (2)
cisco/rv320_firmware 1.4.2.15 - 1.4.2.22
cisco/rv325_firmware 1.4.2.15 - 1.4.2.22
Published Jan 24, 2019
KEV Added Mar 03, 2022
Tracked Since Feb 18, 2026