CVE-2019-1663

CRITICAL EXPLOITED

Cisco RV110W RV130W RV215W - Unauthenticated Remote Code Execution via Web Management Interface

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2019-1663 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 7 public exploits from researchers including Metasploit, @0x00string, KylVGoi, including a Metasploit module exploits/linux/http/cve_2019_1663_cisco_rmi_rce.

AI-analyzed exploit summary This Metasploit module exploits a remote command execution vulnerability in Cisco RV110W/RV130(W)/RV215W routers by sending malicious HTTP requests to the web-based management interface, leveraging improper input validation to achieve arbitrary code execution with high privileges.

Description

A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. The vulnerability is due to improper validation of user-supplied data in the web-based management interface. An attacker could exploit this vulnerability by sending malicious HTTP requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system of the affected device as a high-privilege user. RV110W Wireless-N VPN Firewall versions prior to 1.2.2.1 are affected. RV130W Wireless-N Multifunction VPN Router versions prior to 1.0.3.45 are affected. RV215W Wireless-N VPN Router versions prior to 1.3.1.1 are affected.

Exploits (7)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotehardware
https://www.exploit-db.com/exploits/47348

This Metasploit module exploits a remote command execution vulnerability in Cisco RV110W/RV130(W)/RV215W routers by sending malicious HTTP requests to the web-based management interface, leveraging improper input validation to achieve arbitrary code execution with high privileges.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Cisco RV110W (prior to 1.2.2.1), RV130W (prior to 1.0.3.45), RV215W (prior to 1.3.1.1)
No auth needed
Prerequisites: Network access to the target device's management interface · Target device running a vulnerable firmware version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotehardware
https://www.exploit-db.com/exploits/46705

This Metasploit module exploits CVE-2019-1663, a remote command execution vulnerability in Cisco RV130W routers due to improper validation in the web-based management interface. It leverages a buffer overflow in the login.cgi endpoint to execute arbitrary commands with high privileges.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Cisco RV130W Wireless-N Multifunction VPN Router < 1.0.3.45
No auth needed
Prerequisites: Network access to the target device · Target device running vulnerable firmware
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by @0x00string · pythonremotehardware
https://www.exploit-db.com/exploits/46961

This exploit leverages a stack-based buffer overflow in Cisco RV130W routers (CVE-2019-1663) to achieve remote code execution via a crafted POST request to the login.cgi endpoint. The payload uses ROP gadgets to bypass DEP and execute an arbitrary command (ping in this case).

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Cisco RV130W Wireless-N Multifunction VPN Router (versions 1.0.3.44 and prior)
No auth needed
Prerequisites: Network access to the target device · Target device must be running a vulnerable firmware version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by KylVGoi · remote
https://github.com/KylVGoi/cve-2019-1663

This repository contains a functional exploit for CVE-2019-1663, a stack-based buffer overflow in Cisco RV110W, RV130W, and RV215W routers. The exploit leverages a crafted HTTP POST request to achieve unauthenticated remote code execution via ROP gadgets on ARM architecture.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Cisco RV110W, RV130W, RV215W Wireless-N VPN routers
No auth needed
Prerequisites: Network access to the vulnerable router's web interface · Emulated or physical target device for testing
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by WolffCorentin · poc
https://github.com/WolffCorentin/CVE-2019-1663-Binary-Analysis

This repository contains a functional exploit for CVE-2019-1663, a buffer overflow vulnerability in Cisco routers caused by improper use of the `strcpy` function. The exploit includes a Python script that crafts a malicious payload to achieve remote code execution (RCE) on vulnerable devices.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Cisco routers (specific models affected by CVE-2019-1663)
No auth needed
Prerequisites: Access to the router's web configuration server · Knowledge of libc base address and gadgets for ROP chain
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec STUB
by StealYourCode · poc
https://github.com/StealYourCode/CVE-2019-1663

The repository contains only a README with minimal information about CVE-2019-1663, mentioning affected Cisco router models but no technical details, exploit code, or analysis. It appears to be a placeholder for research that was never completed or published.

Classification
Stub 90%
Attack Type
Other
Complexity
Theoretical
Reliability
Theoretical
Target: Cisco RV110, RV130, RV225 routers (version 1.0.44.0)
No auth needed
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC GOOD
by Yu Zhang, Haoliang Lu, T. Shiomitsu, Quentin Kaiser <[email protected]> · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/cve_2019_1663_cisco_rmi_rce.rb

This Metasploit module exploits CVE-2019-1663, a remote command execution vulnerability in Cisco RV110W/RV130(W)/RV215W routers due to improper validation of user-supplied data in the web-based management interface. It leverages a buffer overflow to execute arbitrary code with high privileges.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Cisco RV110W Wireless-N VPN Firewall (versions prior to 1.2.2.1), Cisco RV130W Wireless-N Multifunction VPN Router (versions prior to 1.0.3.45), Cisco RV215W Wireless-N VPN Router (versions prior to 1.3.1.1)
No auth needed
Prerequisites: Network access to the target device · Target device running a vulnerable firmware version
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (7)

Core 7
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/107185
Exploit, Third Party Advisory x_refsource_misc
http://www.rapid7.com/db/modules/exploit/linux/http/cisco_rv130_rmi_rce
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/46705/

Scores

CVSS v3 9.8
EPSS 0.8725
EPSS Percentile 99.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

VulnCheck KEV 2019-03-01
CWE
CWE-119 CWE-787
Status published
Products (3)
cisco/rv110w_firmware < 1.2.2.1
cisco/rv130w_firmware < 1.0.3.45
cisco/rv215w_firmware < 1.3.1.1
Published Feb 28, 2019
Tracked Since Feb 18, 2026