What happened

CISA added CVE-2023-20118 to the Known Exploited Vulnerabilities (KEV) catalog on 2025-03-03, signaling confirmed exploitation and mandatory federal remediation prioritization CISA KEV. The entry describes a command injection flaw in the web-based management interface of multiple Cisco Small Business RV Series Routers that, when successfully exploited, allows an authenticated, remote attacker to obtain root-level privileges and access unauthorized data CISA KEV. CISA set a due date of 2025-03-24 for federal agencies and directs organizations to apply vendor mitigations, follow BOD 22-01 guidance for cloud services, or discontinue use if no mitigations are available CISA KEV.

NIST’s NVD tracks the vulnerability under CVE-2023-20118 and classifies it under command injection (CWE-77) affecting Cisco Small Business RV Series Routers NVD entry. The MITRE CVE record provides the canonical identifier and aligns on the vulnerability type and impact for CVE-2023-20118 MITRE CVE.

Why it matters

Edge routers are high-leverage assets: compromise of the management plane can lead to full device control and exposure of sensitive configuration data CISA KEV. CVE-2023-20118 explicitly enables root-level privileges for an authenticated remote attacker via the web management interface, elevating risk from mere admin UI misuse to operating-system level control on the device NVD entry. Inclusion in KEV means exploitation has been observed and remediation should be treated as a top-priority action item, particularly for organizations relying on Small Business RV Series gear at network perimeters CISA KEV.

Because the flaw maps to command injection (CWE-77), the failure mode is arbitrary command execution in the underlying OS context, which in this case is root-level per the advisory descriptions NVD entry. That turns a single web request into a system-level action path—precisely the kind of control-plane break that undermines device integrity and confidentiality of managed data MITRE CVE.

Technical detail

Per CISA’s KEV entry, the vulnerability resides in the routers’ web-based management interface and is exploitable remotely by an authenticated user, resulting in command injection and root-level privileges on the target device CISA KEV. The NVD catalog lists the weakness class as CWE-77 (improper neutralization of special elements used in a command), consistent with arbitrary command execution when user-controlled input is concatenated or evaluated by the system shell NVD entry. The impact cited across records includes the ability to access unauthorized data, which follows from gaining root context on a device that handles routing, VPN, and administrative configuration data MITRE CVE.

Operationally, the attack path is narrow but potent: an authenticated remote actor interacts with the management UI, triggers the injection point, and executes commands with root privileges, bypassing normal administrative safeguards through OS-level execution CISA KEV. The weakness is not described as requiring local access, implying that any network-reachable management interface presents exposure if credentials are present and the vulnerable code path is hit NVD entry.

Defense

• Prioritize remediation in line with the KEV directive: apply vendor mitigations immediately, follow BOD 22-01 where applicable, or retire affected devices if no fixes are available CISA KEV.
• Track the federal due date of 2025-03-24 for mandated action; treat the same timeline as a de facto SLA for non-federal environments given active exploitation CISA KEV.
• Validate inventory for Cisco Small Business RV Series Routers and segment or isolate management interfaces until mitigation/updates are in place CISA KEV.
• Reduce exposed attack surface: restrict web management to trusted networks and disable remote administration where not operationally necessary during remediation windows NVD entry.
• Increase monitoring of administrative activity on affected devices: alert on unexpected configuration changes or access to sensitive data paths that align with the described root-level impact MITRE CVE.

Lyrie Verdict

CVE-2023-20118 is a management-plane command injection on perimeter gear, already observed in the wild per KEV—patch now and assume adversaries can turn a single authenticated web request into root on the box CISA KEV. This is exactly where autonomous, machine-speed defense pays: Lyrie correlates management-interface events with post-request system actions to spot command-injection-style execution chains characteristic of CWE-77 issues on network devices NVD entry. We treat router admin traffic as high-risk telemetry and auto-enforce guardrails—flagging anomalous command execution following HTTP admin calls and isolating affected nodes before humans can triage, aligning response urgency with KEV prioritization and due dates CISA KEV.