CVE-2026-24698
Received Received - Intake

OS Command Injection in Cisco RV130/RV130W and RV110W Routers

Vulnerability report for CVE-2026-24698, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: MITRE

Description

An OS command injection vulnerability exists in the save_syslog_to_file() function of the "httpd" binary in Cisco RV130/RV130W with firmware 1.0.3.55 and RV110W routers with firmware 1.2.2.5 / 1.2.2.8. The model_name configuration parameter is not properly sanitized, which could allow an authenticated remote attacker to execute arbitrary OS commands with root privileges.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
cisco rv130 1.0.3.55
cisco rv110w 1.2.2.5
cisco rv110w 1.2.2.8

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

Exploitation of this vulnerability can lead to remote code execution on the affected router with root privileges.

An attacker can execute arbitrary commands, potentially gaining full control over the device, which may include persistent command execution across device reboots.

This complete compromise of the router's security can disrupt network operations, allow interception or manipulation of network traffic, and facilitate further attacks within the network.

Executive Summary

CVE-2026-24698 is a command injection vulnerability in Cisco RV130 and RV110w routers running certain firmware versions. It exists in the save_syslog_to_file() function of the httpd binary, where the model_name configuration parameter is not properly sanitized.

An authenticated remote attacker can exploit this flaw by injecting malicious OS commands through the model_name parameter, which allows execution of arbitrary system commands with root privileges.

The vulnerability arises because input validation is insufficient, enabling shell command injection via subshell syntax such as $(command) or backticks.

Detection Guidance

This vulnerability can be detected by checking for unusual or unauthorized commands executed on the affected Cisco RV130 or RV110W routers, especially commands injected via the model_name configuration parameter.

Since the vulnerability involves command injection through the httpd service's save_syslog_to_file() function, monitoring the system logs for suspicious entries or unexpected directory creations (e.g., /tmp/cccc) can help detect exploitation.

You can also inspect the router's configuration files for suspicious subshell syntax such as $(command) or backticks in the model_name parameter.

  • Use SSH or console access to the router and run commands to check for unexpected files or directories, for example: `ls -la /tmp/` to look for directories like 'cccc' created by an exploit.
  • Examine the configuration file for the model_name parameter containing shell command injection patterns: `cat /path/to/config | grep model_name`.
  • Monitor running processes or httpd service logs for anomalies that might indicate command injection.
Mitigation Strategies

Immediate mitigation steps include restricting access to the affected devices to trusted administrators only and avoiding the use of the vulnerable firmware versions (1.0.3.55 for RV130 and 1.2.2.5 / 1.2.2.8 for RV110W).

Do not allow untrusted users to authenticate to the device, as exploitation requires authentication.

Review and sanitize the model_name configuration parameter to ensure it does not contain any shell command injection syntax such as subshells or backticks.

If possible, upgrade the device firmware to a version where this vulnerability is patched.

Monitor the device for signs of compromise, such as unexpected files or directories created on the system, and reset the device to factory defaults if compromise is suspected.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24698. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart