Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-24700

CVE-2026-24700: Cisco RV Routers RCE Vulnerability

CVE-2026-24700 is a remote code execution flaw in Cisco RV130/RV130W/RV110W routers that allows authenticated attackers to execute arbitrary commands with root privileges. This post covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-24700 Overview

CVE-2026-24700 is an operating system (OS) command injection vulnerability in the start_lltd() function of the rc binary shipped with Cisco small business routers. The affected devices include Cisco RV130 and RV130W with firmware 1.0.3.55, and RV110W with firmware 1.2.2.5 and 1.2.2.8. The machine_name configuration parameter is not sanitized before being passed to a shell context. An authenticated remote attacker can inject arbitrary shell metacharacters to execute commands with root privileges. The flaw is tracked under CWE-78.

Critical Impact

Successful exploitation grants root-level command execution on affected Cisco small business routers, giving attackers full control over network traffic and device configuration.

Affected Products

  • Cisco RV130 with firmware 1.0.3.55
  • Cisco RV130W with firmware 1.0.3.55
  • Cisco RV110W with firmware 1.2.2.5 and 1.2.2.8

Discovery Timeline

  • 2026-07-08 - CVE-2026-24700 published to the National Vulnerability Database (NVD)
  • 2026-07-08 - Last updated in NVD database

Technical Details for CVE-2026-24700

Vulnerability Analysis

The vulnerability resides in the start_lltd() routine of the rc binary, which runs as root during router initialization and configuration reloads. The function reads the machine_name value from NVRAM configuration and incorporates it directly into a shell command string. Because the parameter is neither escaped nor validated against a character allowlist, shell metacharacters such as ;, |, `, and $() are interpreted by the invoked shell. An authenticated attacker who can modify the machine_name configuration parameter through the router's management interface can trigger command execution the next time start_lltd() runs. Because the rc binary executes as root, injected commands inherit full system privileges.

Root Cause

The root cause is missing input sanitization on a configuration parameter that reaches a shell interpreter. The machine_name value flows from user-controlled configuration storage into a command constructed with system()-style semantics, matching the pattern described by CWE-78 (Improper Neutralization of Special Elements used in an OS Command).

Attack Vector

Exploitation requires authenticated access to the router's management interface to write the malicious machine_name value. Once stored, the payload executes when start_lltd() is invoked, either as part of service startup or configuration reload. See the GitHub IoT Vulnerability Documentation for the reverse engineering write-up of the vulnerable code path.

Detection Methods for CVE-2026-24700

Indicators of Compromise

  • Unexpected values in the machine_name NVRAM parameter containing shell metacharacters such as ;, &, |, backticks, or $(
  • Outbound connections from the router to unknown hosts following configuration changes
  • New or modified processes spawned as children of the rc binary or lltd service

Detection Strategies

  • Audit router configuration exports for anomalous machine_name values and compare against a known-good baseline
  • Monitor administrative sessions to the router web interface for configuration writes to LLTD-related parameters
  • Inspect syslog output forwarded from affected devices for unexpected shell activity around service start events

Monitoring Recommendations

  • Forward router logs to a centralized log platform and alert on configuration changes to identity or naming parameters
  • Track network flows originating from router management IPs, which should not initiate outbound sessions to arbitrary destinations
  • Restrict and log access to the router administrative interface using network segmentation and jump hosts

How to Mitigate CVE-2026-24700

Immediate Actions Required

  • Restrict access to the router's web administration interface to trusted management networks only
  • Rotate administrative credentials on all affected RV130, RV130W, and RV110W devices
  • Review the current machine_name configuration value on each device and reset it to a safe alphanumeric string
  • Plan replacement of end-of-life Cisco small business routers with supported hardware

Patch Information

Cisco RV130, RV130W, and RV110W routers have reached end-of-life, and Cisco has previously stated that vulnerabilities in these product lines will not receive firmware updates. Refer to the GitHub IoT Vulnerability Documentation for current technical details and consult Cisco end-of-life notices for migration guidance.

Workarounds

  • Disable remote management on the WAN interface and permit administration only from a dedicated internal VLAN
  • Place affected routers behind an upstream firewall that blocks untrusted access to management ports
  • Replace affected devices with a currently supported router platform, as no vendor patch is available

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.