Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-24699

CVE-2026-24699: Cisco RV110W/RV130 Router RCE Vulnerability

CVE-2026-24699 is a command injection flaw in Cisco RV110W/RV130 routers that allows authenticated attackers to execute arbitrary commands with root privileges. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-24699 Overview

CVE-2026-24699 is an operating system command injection vulnerability [CWE-78] in the sub_34984() function of the rc binary shipped with Cisco small business routers. The affected devices include Cisco RV130 and RV130W routers running firmware 1.0.3.55, and Cisco RV110W routers running firmware 1.2.2.5 and 1.2.2.8. The lan_ipv6_prefixlen configuration parameter is passed to the binary without proper sanitization. An authenticated remote attacker can inject shell metacharacters into this parameter to execute arbitrary commands with root privileges on the underlying operating system.

Critical Impact

Successful exploitation grants root-level command execution on the router, allowing full device compromise, traffic interception, and lateral movement into the LAN.

Affected Products

  • Cisco RV130 with firmware 1.0.3.55
  • Cisco RV130W with firmware 1.0.3.55
  • Cisco RV110W with firmware 1.2.2.5 and 1.2.2.8

Discovery Timeline

  • 2026-07-08 - CVE-2026-24699 published to the National Vulnerability Database
  • 2026-07-08 - Last updated in NVD database

Technical Details for CVE-2026-24699

Vulnerability Analysis

The vulnerability resides in the sub_34984() function within the rc binary, a component responsible for handling router configuration and network initialization tasks. The function consumes the lan_ipv6_prefixlen configuration parameter and incorporates it into a shell command executed by the operating system. Because the value is used without input validation or metacharacter escaping, shell control characters supplied by an authenticated attacker are interpreted by the shell rather than treated as data.

The attacker requires valid administrative credentials, which raises the barrier for exploitation. Once authenticated, however, the attacker gains full root privileges on the router. This provides complete control over routing tables, firewall rules, DNS resolution, and any traffic transiting the device.

Root Cause

The root cause is missing input sanitization on the lan_ipv6_prefixlen parameter before it is embedded in an OS command string. The parameter is expected to hold a numeric IPv6 prefix length, but the binary does not enforce a numeric type or filter shell metacharacters such as ;, |, `, or $().

Attack Vector

An authenticated attacker submits a crafted lan_ipv6_prefixlen value through the router's configuration interface. When the rc binary processes the configuration and reaches sub_34984(), the injected payload is executed by the shell as the root user. See the GitHub IoT Vulnerability Analysis for a detailed technical walkthrough of the vulnerable code path.

Detection Methods for CVE-2026-24699

Indicators of Compromise

  • Unexpected child processes spawned by the rc binary, particularly shells such as /bin/sh or /bin/busybox invoked with arguments containing metacharacters.
  • Configuration entries where lan_ipv6_prefixlen contains non-numeric characters such as ;, |, backticks, or $().
  • Outbound network connections originating from the router to unfamiliar hosts, indicating potential reverse shells or C2 channels.

Detection Strategies

  • Monitor administrative sessions on affected routers for configuration changes to IPv6 LAN settings, correlating with the source IP and user account.
  • Inspect exported router configurations for anomalous values in the lan_ipv6_prefixlen field and flag any content that is not a valid integer.
  • Capture and review syslog output from the router for shell errors or unexpected command output associated with rc execution.

Monitoring Recommendations

  • Restrict management interface exposure and log all authentication events against router admin accounts.
  • Baseline expected outbound traffic from routers and alert on deviations such as connections to non-corporate IP ranges.
  • Aggregate router logs into a centralized SIEM to enable correlation with endpoint and identity telemetry.

How to Mitigate CVE-2026-24699

Immediate Actions Required

  • Change all administrative credentials on affected RV130, RV130W, and RV110W devices and enforce strong, unique passwords.
  • Disable remote management on the WAN interface and restrict LAN-side management to a dedicated administrative subnet.
  • Audit router configurations for suspicious values in lan_ipv6_prefixlen and other IPv6 parameters.

Patch Information

Cisco RV130, RV130W, and RV110W routers reached end-of-life status prior to this disclosure, and vendor security patches are not expected. Refer to the GitHub IoT Vulnerability Analysis for research details and consult Cisco end-of-life guidance for replacement recommendations.

Workarounds

  • Replace end-of-life RV130, RV130W, and RV110W devices with supported hardware that receives ongoing security updates.
  • Place affected routers behind an upstream firewall and block untrusted access to the management plane.
  • Segment the network so that a compromised router cannot pivot into sensitive internal systems, and monitor the segment for anomalous traffic.
bash
# Configuration example: restrict management access via upstream ACL
# Example only - adapt to your upstream device syntax
access-list MGMT_ONLY permit tcp <admin_subnet> host <router_ip> eq 443
access-list MGMT_ONLY deny   tcp any host <router_ip> eq 443
access-list MGMT_ONLY deny   tcp any host <router_ip> eq 80

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.