CVE-2023-20118
is CVE-2023-20118real, exploitable, or a false positive? Here's the community ground truth.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
A vulnerability in the web-based management interface of Cisco Small Business Routers RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary commands on an affected device. This vulnerability is due to improper validation of user input within incoming HTTP packets. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web-based management interface. A successful exploit could allow the attacker to gain root-level privileges and access unauthorized data. To exploit this vulnerability, an attacker would need to have valid administrative credentials on the affected device. Cisco has not and will not release software updates that address this vulnerability. However, administrators may disable the affected feature as described in the Workarounds ["#workarounds"] section. {{value}} ["%7b%7bvalue%7d%7d"])}]]
References
Published
Embed this verdict
[](https://www.truepositive.app/cve/CVE-2023-20118)<a href="https://www.truepositive.app/cve/CVE-2023-20118"><img src="https://www.truepositive.app/cve/CVE-2023-20118/badge.svg" alt="TruePositive verdict for CVE-2023-20118"></a>Live badge — updates automatically as the community verdict changes.
Community ground truth
Community verdict
2 verdictsIncludes TruePositive's curated baseline from public sources — community verdicts accrue on top.
Pick your verdict — we'll save it right after a quick sign-in.
Practitioners rate this higher than its CVSS — treat with extra caution.
Field notes & remediation
Verdicts are the quick signal — notes are the evidence and fixes behind them.
- 0
Cisco Small Business RV Series Routers Command Injection Vulnerability — Multiple Cisco Small Business RV Series Routers contains a command injection vulnerability in the web-based management interface. Successful exploitation could allow an authenticated, remote attacker to gain root-level privileges and access unauthorized data. Listed in the CISA KEV catalog (added 2025-03-03) — confirmed exploited in the wild, not theoretical. FIRST EPSS puts the chance of exploitation in the next 30 days at ~54%. Treat it as real and prioritize remediation over triage.
- 0
Required action for Cisco Small Business RV Series Routers: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. CISA set a federal remediation due date of 2025-03-24. After patching, verify the vulnerable path is no longer reachable before closing the finding.
Related CVEs
Same weakness — CWE-77.
- CVE-2023-1671CVSS 9.8KEVEPSS 100%
A pre-auth command injection vulnerability in the warn-proceed handler of Sophos Web Appliance older than version 4.3.10.4 allows execution of arbitrary code.
- CVE-2024-21887CVSS 9.1KEVEPSS 100%
A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.
- CVE-2023-1389CVSS 8.8KEVEPSS 100%
TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 contained a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint on the web management interface. Specifically, the country parameter of the write operation was not sanitized before being used in a call to popen(), allowing an unauthenticated attacker to inject commands, which would be run as root, with a simple POST request.
- CVE-2012-1823CVSS 9.8KEVEPSS 100%
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case.
- CVE-2024-3273CVSS 7.3KEVEPSS 100%
** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, was found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. Affected is an unknown function of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler. The manipulation of the argument system leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259284. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced.
- CVE-2025-10035CVSS 10KEVEPSS 100%
A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.