Cisco Won’t Fix Zero-Day RCE in End Of Life VPN Routers

Share post:

Cisco is advising owners of end-of-life Small Business RV routers to upgrade to newer models after revealing a remote code execution vulnerability that the company will no longer patch.

The vulnerability is tracked as CVE-2022-20825 with a CVSS severity rating of 9.8 out of 10.0.

As per a Cisco security advisory, the flaw is due to insufficient user input validation of incoming HTTP packets on the affected devices.

A hacker could exploit it by sending a specially crafted request to the web-based management interface, leading to command execution with root-level privileges.

The vulnerability affects four Small Business RV Series models, namely the RV110W Wireless-N VPN Firewall, the RV130 VPN Router, the RV130W Wireless-N Multifunction VPN Router, and the RV215W Wireless-N VPN Router.

This vulnerability only impacts devices with the web-based remote management interface enabled on WAN connections. While the remote management feature is disabled in the default configuration, brief searches using Shodan detected exposed devices.

To find out if remote management is enabled, users must log in to the web-based management interface, navigate to “Basic Settings > Remote Management,” and verify the state of the relevant check box.

Cisco will not be releasing a security update to address CVE-2022-20825 as the devices are no longer supported. There will also be no mitigations available other than to turn off remote management on the WAN interface.

Admins are urged to apply the configuration changes until they migrate to Cisco Small Business RV132W, RV160, or RV160W Routers, which the company actively supports.

For more information, read the original story in Bleepingcomputer.

SUBSCRIBE NOW

Related articles

Payment gateway breach exposes 1.7 million credit card holders

Slim CD, a payment gateway provider, recently disclosed a significant data breach that impacted nearly 1.7 million credit...

AI Healthcare Firm Exposes 5.9 TB of Sensitive Mental Health Data

In a significant data security incident, Confidant Health, a Texas-based AI healthcare platform, inadvertently exposed 5.3 terabytes of...

Cyber Security Today – Week In Review for September 7, 2024

Cyber Security Today - Weekend Edition: Toronto School Board Hack, MoveIT Breach & Data Privacy Concerns This weekend edition...

Facial recognition company fined for “illegallly creating a database of faces”

Clearview AI, a U.S.-based facial recognition company, has been fined €30.5 million ($33.7 million) by the Netherlands’ data...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways