CVE-2021-1472

MEDIUM EXPLOITED IN THE WILD NUCLEI

Cisco RV Series Firmware - Unauthenticated RCE and Auth Bypass

Title source: llm

Exploitation Summary

CVE-2021-1472 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 1 public exploit from researchers including Takeshi Shiomitsu, jbaines-r7, including a Metasploit module exploits/linux/http/cisco_rv_series_authbypass_and_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits an authentication bypass (CVE-2021-1472) and command injection (CVE-2021-1473) in Cisco Small Business RV series routers. It leverages a flawed credential verification in the /upload endpoint and injects commands via the HTTP Cookie field, achieving remote code execution as www-data.

Description

Multiple vulnerabilities exist in the web-based management interface of Cisco Small Business RV Series Routers. A remote attacker could execute arbitrary commands or bypass authentication and upload files on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.

Exploits (1)

metasploit WORKING POC EXCELLENT

by Takeshi Shiomitsu, jbaines-r7 · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/cisco_rv_series_authbypass_and_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits an authentication bypass (CVE-2021-1472) and command injection (CVE-2021-1473) in Cisco Small Business RV series routers. It leverages a flawed credential verification in the /upload endpoint and injects commands via the HTTP Cookie field, achieving remote code execution as www-data.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Cisco Small Business RV340, RV340w, RV345, RV345P (firmware versions 1.0.03.20 and below)

No auth needed

Prerequisites: Network access to the target device · HTTPS (port 443) accessibility

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1202 - Indirect Command Execution

devstral-2 · analyzed Feb 19, 2026 Full analysis →

Nuclei Templates (1)

Cisco Small Business RV Series - OS Command Injection

CRITICALVERIFIEDby gy741

Shodan: http.html:"Cisco rv340" || http.html:"cisco rv340"

FOFA: body="cisco rv340"

References (3)

Core 3

Core References

Vendor Advisory vendor-advisory x_refsource_cisco

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-rv-bypass-inject-Rbhgvfdx

Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2021/Apr/39

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/162238/Cisco-RV-Authentication-Bypass-Code-Execution.html

Scores

CVSS v3 5.3

EPSS 0.7247

EPSS Percentile 99.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

VulnCheck KEV 2021-10-07

InTheWild.io 2024-09-18

CWE

CWE-119 CWE-287

Status published

Products (9)

cisco/rv160_firmware < 1.0.01.03

cisco/rv160w_firmware < 1.0.01.03

cisco/rv260_firmware < 1.0.01.03

cisco/rv260p_firmware < 1.0.01.03

cisco/rv260w_firmware < 1.0.01.03

cisco/rv340_firmware < 1.0.03.21

cisco/rv340w_firmware < 1.0.03.21

cisco/rv345_firmware < 1.0.03.21

cisco/rv345p_firmware < 1.0.03.21

Published Apr 08, 2021

Tracked Since Feb 18, 2026