CVE-2019-1653

HIGH KEV NUCLEI

Cisco RV320 and RV325 Unauthenticated Remote Code Execution

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2019-1653 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 10 public exploits from researchers including Metasploit, Harom Ramos, shaheemirza, including a Metasploit module auxiliary/gather/cisco_rv320_config. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits CVE-2019-1653 (info disclosure) and CVE-2019-1652 (command injection) to achieve unauthenticated RCE on Cisco RV320/RV325 routers. It downloads credentials via config export, logs in, and injects a command via certificate generation.

Description

A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated, remote attacker to retrieve sensitive information. The vulnerability is due to improper access controls for URLs. An attacker could exploit this vulnerability by connecting to an affected device via HTTP or HTTPS and requesting specific URLs. A successful exploit could allow the attacker to download the router configuration or detailed diagnostic information. Cisco has released firmware updates that address this vulnerability.

Exploits (10)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotehardware
https://www.exploit-db.com/exploits/46655

This Metasploit module exploits CVE-2019-1653 (info disclosure) and CVE-2019-1652 (command injection) to achieve unauthenticated RCE on Cisco RV320/RV325 routers. It downloads credentials via config export, logs in, and injects a command via certificate generation.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Cisco RV320 and RV325 routers (older firmware)
No auth needed
Prerequisites: Network access to the router's web interface (port 8007 or 443) · Vulnerable firmware version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by Harom Ramos · pythonwebappshardware
https://www.exploit-db.com/exploits/46262

This exploit targets CVE-2019-1653, an information disclosure vulnerability in Cisco RV300/RV320 routers. It sends a GET request to '/cgi-bin/config.exp' to retrieve sensitive configuration data without authentication.

Classification
Working Poc 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Cisco RV300/RV320 routers
No auth needed
Prerequisites: Network access to the target device
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 4 stars
by shaheemirza · remote
https://github.com/shaheemirza/CiscoSpill

The repository contains a functional bash script that exploits CVE-2019-1653 to extract sensitive information (including passwords) from Cisco RV320 and RV325 routers via an unauthenticated HTTP request to a vulnerable endpoint.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers
No auth needed
Prerequisites: Network access to the target router's web interface · HTTP/HTTPS access to the vulnerable endpoint
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by ibrahimzx · remote
https://github.com/ibrahimzx/CVE-2019-1653

This repository contains a functional Python exploit for CVE-2019-1653, which targets Cisco Small Business RV320 and RV325 routers. The exploit first retrieves credentials via an information disclosure vulnerability and then performs a command injection to enable a telnet service for remote access.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers
No auth needed
Prerequisites: Network access to the target device · Web-based management interface exposed
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec SCANNER 1 stars
by dubfr33 · remote
https://github.com/dubfr33/CVE-2019-1653

This repository contains an NSE script for Nmap to scan for Cisco routers vulnerable to CVE-2019-1653, which is a buffer overflow vulnerability in the web-based management interface. The script checks for the presence of the vulnerability by sending crafted requests to the target host on port 443.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Cisco routers with web-based management interface
No auth needed
Prerequisites: Nmap installed · Network access to target host on port 443
devstral-2 · analyzed Feb 18, 2026 Full analysis →
gitlab WORKING POC
by FiveO · poc
https://gitlab.com/FiveO/CiscoExploit

The repository contains a functional Python exploit for CVE-2019-1821, which targets a directory traversal vulnerability in Cisco Prime Infrastructure's Health Monitor HA TarArchive feature. The exploit crafts a malicious tar archive to deploy a JSP backdoor, enabling unauthenticated remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Cisco Prime Infrastructure (versions affected by CVE-2019-1821)
No auth needed
Prerequisites: Network access to the target · Target must be running a vulnerable version of Cisco Prime Infrastructure
devstral-2 · analyzed Feb 23, 2026 Full analysis →
nomisec SCANNER
by elzerjp · infoleak
https://github.com/elzerjp/nuclei-CiscoRV320Dump-CVE-2019-1653

This repository provides a Nuclei template to detect exposed Cisco router configuration files (CVE-2019-1653) by checking for the presence of `/cgi-bin/config.exp` and extracting credentials. It includes a detailed guide for using Shodan and Nuclei to identify vulnerable devices.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Cisco RV320 routers
No auth needed
Prerequisites: Shodan API key · Nuclei installed · Target URLs or IPs
devstral-2 · analyzed Feb 18, 2026 Full analysis →
vulncheck_xdb WORKING POC
infoleak
https://github.com/0x27/CiscoRV320Dump

This repository contains functional exploit code for CVE-2019-1653 and CVE-2019-1652, targeting Cisco RV320/RV325 routers. It includes scripts for dumping configurations, debug data, decrypting encrypted files, and achieving post-authentication RCE via command injection.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Cisco RV320/RV325 routers
Auth required
Prerequisites: network access to the target device · valid credentials (default: cisco:cisco)
devstral-2 · analyzed Feb 25, 2026 Full analysis →
metasploit WORKING POC
by RedTeam Pentesting GmbH <[email protected]>, Aaron Soto <[email protected]> · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/cisco_rv320_config.rb

This Metasploit module exploits an improper access control vulnerability in Cisco RV320/RV325 routers to retrieve sensitive configuration files without authentication. It sends an HTTP GET request to a specific URI to download the router's configuration, which may include credentials and other sensitive data.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Cisco RV320/RV325 Dual Gigabit WAN VPN routers
No auth needed
Prerequisites: Network access to the target device · HTTP/HTTPS access to the web-based management interface
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
by RedTeam Pentesting GmbH, Philip Huppert, Benjamin Grap · rubypoclinux
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/cisco_rv32x_rce.rb

This Metasploit module exploits CVE-2019-1653 (info disclosure) and CVE-2019-1652 (command injection) to achieve unauthenticated RCE on Cisco RV320/RV325 routers. It downloads the config to extract credentials, logs in, and injects a command via the certificate generation page to fetch and execute a payload.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Cisco RV320 and RV325 routers (older firmware versions)
No auth needed
Prerequisites: Network access to the router's web interface (port 8007 or 443) · Router must be running vulnerable firmware
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Cisco Small Business WAN VPN Routers - Sensitive Information Disclosure
HIGHby dwisiswant0

References (16)

Core 16
Core References
Third Party Advisory x_refsource_misc
https://www.youtube.com/watch?v=bx0RQJDlGbY
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/106732
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/46262/
Exploit, Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2019/Mar/60
Exploit, Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2019/Mar/59
Mailing List, Third Party Advisory mailing-list x_refsource_bugtraq
https://seclists.org/bugtraq/2019/Mar/54
Mailing List, Third Party Advisory mailing-list x_refsource_bugtraq
https://seclists.org/bugtraq/2019/Mar/53
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/46655/

Scores

CVSS v3 7.5
EPSS 0.9438
EPSS Percentile 100.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact partial

Details

CISA KEV 2021-11-03
VulnCheck KEV 2020-03-25
InTheWild.io 2021-07-23
ENISA EUVD EUVD-2019-10210
CWE
CWE-284
Status published
Products (4)
cisco/rv320_firmware 1.4.2.15
cisco/rv320_firmware 1.4.2.17
cisco/rv325_firmware 1.4.2.15
cisco/rv325_firmware 1.4.2.17
Published Jan 24, 2019
KEV Added Nov 03, 2021
Tracked Since Feb 18, 2026