CVE-2021-1415

MEDIUM

Cisco Rv340 Firmware < 1.0.03.21 - Insecure Deserialization

Title source: rule

Description

Multiple vulnerabilities in the web-based management interface of Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an authenticated, remote attacker to execute arbitrary code with elevated privileges equivalent to the web service process on an affected device. These vulnerabilities exist because HTTP requests are not properly validated. An attacker could exploit these vulnerabilities by sending a crafted HTTP request to the web-based management interface of an affected device. A successful exploit could allow the attacker to remotely execute arbitrary code on the device.

References (2)

[Vendor Advisory] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-rv34x-rce-8bfG2h6b

[Third Party Advisory, VDB Entry] https://www.zerodayinitiative.com/advisories/ZDI-21-560/

Scores

CVSS v3 6.3

EPSS 0.0124

EPSS Percentile 79.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Classification

CWE

CWE-502

Status published

Affected Products (4)

cisco/rv340_firmware < 1.0.03.21

cisco/rv340w_firmware < 1.0.03.21

cisco/rv345_firmware < 1.0.03.21

cisco/rv345p_firmware < 1.0.03.21

Timeline

Published Apr 08, 2021

Tracked Since Feb 18, 2026