CVE-2026-24700 Overview
CVE-2026-24700 is an operating system (OS) command injection vulnerability in the start_lltd() function of the rc binary shipped with Cisco small business routers. The affected devices include Cisco RV130 and RV130W with firmware 1.0.3.55, and RV110W with firmware 1.2.2.5 and 1.2.2.8. The machine_name configuration parameter is not sanitized before being passed to a shell context. An authenticated remote attacker can inject arbitrary shell metacharacters to execute commands with root privileges. The flaw is tracked under CWE-78.
Critical Impact
Successful exploitation grants root-level command execution on affected Cisco small business routers, giving attackers full control over network traffic and device configuration.
Affected Products
- Cisco RV130 with firmware 1.0.3.55
- Cisco RV130W with firmware 1.0.3.55
- Cisco RV110W with firmware 1.2.2.5 and 1.2.2.8
Discovery Timeline
- 2026-07-08 - CVE-2026-24700 published to the National Vulnerability Database (NVD)
- 2026-07-08 - Last updated in NVD database
Technical Details for CVE-2026-24700
Vulnerability Analysis
The vulnerability resides in the start_lltd() routine of the rc binary, which runs as root during router initialization and configuration reloads. The function reads the machine_name value from NVRAM configuration and incorporates it directly into a shell command string. Because the parameter is neither escaped nor validated against a character allowlist, shell metacharacters such as ;, |, `, and $() are interpreted by the invoked shell. An authenticated attacker who can modify the machine_name configuration parameter through the router's management interface can trigger command execution the next time start_lltd() runs. Because the rc binary executes as root, injected commands inherit full system privileges.
Root Cause
The root cause is missing input sanitization on a configuration parameter that reaches a shell interpreter. The machine_name value flows from user-controlled configuration storage into a command constructed with system()-style semantics, matching the pattern described by CWE-78 (Improper Neutralization of Special Elements used in an OS Command).
Attack Vector
Exploitation requires authenticated access to the router's management interface to write the malicious machine_name value. Once stored, the payload executes when start_lltd() is invoked, either as part of service startup or configuration reload. See the GitHub IoT Vulnerability Documentation for the reverse engineering write-up of the vulnerable code path.
Detection Methods for CVE-2026-24700
Indicators of Compromise
- Unexpected values in the machine_name NVRAM parameter containing shell metacharacters such as ;, &, |, backticks, or $(
- Outbound connections from the router to unknown hosts following configuration changes
- New or modified processes spawned as children of the rc binary or lltd service
Detection Strategies
- Audit router configuration exports for anomalous machine_name values and compare against a known-good baseline
- Monitor administrative sessions to the router web interface for configuration writes to LLTD-related parameters
- Inspect syslog output forwarded from affected devices for unexpected shell activity around service start events
Monitoring Recommendations
- Forward router logs to a centralized log platform and alert on configuration changes to identity or naming parameters
- Track network flows originating from router management IPs, which should not initiate outbound sessions to arbitrary destinations
- Restrict and log access to the router administrative interface using network segmentation and jump hosts
How to Mitigate CVE-2026-24700
Immediate Actions Required
- Restrict access to the router's web administration interface to trusted management networks only
- Rotate administrative credentials on all affected RV130, RV130W, and RV110W devices
- Review the current machine_name configuration value on each device and reset it to a safe alphanumeric string
- Plan replacement of end-of-life Cisco small business routers with supported hardware
Patch Information
Cisco RV130, RV130W, and RV110W routers have reached end-of-life, and Cisco has previously stated that vulnerabilities in these product lines will not receive firmware updates. Refer to the GitHub IoT Vulnerability Documentation for current technical details and consult Cisco end-of-life notices for migration guidance.
Workarounds
- Disable remote management on the WAN interface and permit administration only from a dedicated internal VLAN
- Place affected routers behind an upstream firewall that blocks untrusted access to management ports
- Replace affected devices with a currently supported router platform, as no vendor patch is available
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

