Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-24697

CVE-2026-24697: Cisco RV Router RCE Vulnerability

CVE-2026-24697 is a remote code execution vulnerability in Cisco RV130/RV130W/RV110W routers caused by OS command injection. Attackers can exploit this flaw to execute arbitrary commands with root privileges.

Published:

CVE-2026-24697 Overview

CVE-2026-24697 is an OS command injection vulnerability [CWE-78] in the start_bonjour() function of the rc binary shipped with Cisco RV130/RV130W and RV110W small business routers. The flaw stems from improper sanitization of the wan_hostname configuration parameter. An authenticated remote attacker can inject arbitrary shell metacharacters into this parameter and execute commands as root on the underlying router operating system.

Critical Impact

Successful exploitation grants full root-level command execution on the router, allowing attackers to intercept traffic, pivot into internal networks, and persist on the device.

Affected Products

  • Cisco RV130 with firmware 1.0.3.55
  • Cisco RV130W with firmware 1.0.3.55
  • Cisco RV110W with firmware 1.2.2.5 and 1.2.2.8

Discovery Timeline

  • 2026-07-08 - CVE-2026-24697 published to the National Vulnerability Database (NVD)
  • 2026-07-08 - Last updated in NVD database

Technical Details for CVE-2026-24697

Vulnerability Analysis

The vulnerability resides in the start_bonjour() function inside the rc binary, which is responsible for initializing the Bonjour/mDNS service on Cisco RV-series routers. During initialization, start_bonjour() reads the wan_hostname value from the router's NVRAM-backed configuration and incorporates it into a shell command string without escaping or validating the input.

Because the resulting string is passed to a shell interpreter, any shell metacharacters (;, |, `, $()) embedded in wan_hostname are executed as separate commands. The rc binary runs with root privileges, so injected commands inherit full control of the device.

Exploitation requires authenticated access to the router's management interface to set the wan_hostname parameter. Once the value is written and the Bonjour service is (re)started, the payload executes.

Root Cause

The root cause is missing input sanitization on a user-controllable configuration value that is later concatenated into a shell command. The start_bonjour() routine trusts the wan_hostname string end-to-end, violating the principle of separating data from code when invoking OS commands.

Attack Vector

An authenticated attacker submits a crafted wan_hostname value through the router's web management interface or configuration API. The value contains shell metacharacters followed by the attacker's command payload. When start_bonjour() is invoked, the shell parses the injected payload and executes it as root, enabling arbitrary code execution, credential theft, firmware modification, or use of the router as a network foothold.

Technical write-up details are documented in the GitHub IoT Vulnerability Document.

Detection Methods for CVE-2026-24697

Indicators of Compromise

  • Unexpected values in the wan_hostname configuration parameter containing shell metacharacters such as ;, |, `, or $().
  • Unfamiliar processes spawned as children of the rc binary or the Bonjour/mDNS service on the router.
  • Outbound connections from the router to unknown IP addresses, particularly on non-standard ports.
  • Unauthorized changes to router firmware, startup scripts, or administrative accounts.

Detection Strategies

  • Audit the router's running configuration and NVRAM for a wan_hostname value that deviates from expected hostname syntax (RFC 1123 alphanumerics and hyphens only).
  • Monitor administrative authentication logs for successful logins from unexpected sources followed by configuration changes to WAN parameters.
  • Inspect network telemetry for anomalous traffic originating from the router itself, which typically only initiates management and DNS traffic.

Monitoring Recommendations

  • Forward router syslog and authentication events to a centralized log platform for correlation and retention.
  • Alert on any modification to the wan_hostname parameter outside of change-control windows.
  • Baseline outbound connections from router management interfaces and alert on deviations.

How to Mitigate CVE-2026-24697

Immediate Actions Required

  • Restrict management access to the router to trusted internal networks and disable remote WAN-side administration.
  • Rotate all administrative credentials on affected RV130, RV130W, and RV110W devices to reduce the risk of an authenticated attacker leveraging reused passwords.
  • Review the wan_hostname value on each device and reset it to a sanitized, expected hostname.
  • Inventory affected devices; the RV130, RV130W, and RV110W product families have reached end-of-life and no longer receive security fixes from Cisco.

Patch Information

At the time of publication, no vendor patch is referenced in the NVD entry for CVE-2026-24697. The affected RV130, RV130W, and RV110W platforms are end-of-life. Consult the technical write-up for the latest details and check Cisco's official advisories for any updates.

Workarounds

  • Replace end-of-life RV130, RV130W, and RV110W routers with a currently supported platform that receives security updates.
  • Enforce strong, unique administrative credentials and multi-factor authentication for any remaining device access paths.
  • Segment affected routers behind an upstream firewall that restricts inbound management traffic and monitors outbound connections.
  • Disable the Bonjour/mDNS service on the router if the feature is not required by the deployment.
bash
# Configuration example: restrict management access and disable remote admin
# (executed on the upstream firewall, not the vulnerable router)
iptables -A FORWARD -p tcp -d <router_ip> --dport 443 -s <trusted_mgmt_subnet> -j ACCEPT
iptables -A FORWARD -p tcp -d <router_ip> --dport 443 -j DROP
iptables -A FORWARD -p tcp -d <router_ip> --dport 80  -j DROP
iptables -A FORWARD -p tcp -d <router_ip> --dport 22  -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.