Cisco RV-series routers suffer from an authentication bypass vulnerability. The RV34X series are also affected by a command injection vulnerability in the sessionid cookie, when requesting the /upload endpoint. A combination of these issues would allow any person who is able to communicate with the web interface to run arbitrary system commands on the router as the www-data user. Vulnerable versions include RV16X/RV26X versions 1.0.01.02 and below and RV34X versions 1.0.03.20 and below.
f3c8685d841186aca43bc22f8ed2b32e8512c7730129f2ed6fe20f360378fa91