Cisco warns of two vulnerabilities affecting end-of-life routers

Cisco warned customers this week that it will not release software updates or workarounds to address two vulnerabilities affecting a line of routers that were last sold in 2020.

The popular routers – Cisco Small Business RV016, RV042, RV042G and RV082 – are affected by CVE-2023-20025 and CVE-2023-20026. Cisco said it is aware that proof-of-concept exploit code is available and noted that it was discovered by Hou Liuyang of Qihoo 360 Netlab. 

The bugs allow a remote attacker to “bypass authentication or execute arbitrary commands on the underlying operating system of an affected device.” They added that the vulnerabilities are not dependent on one another. 

CVE-2023-20025 carries a CVSS score of 9 and was rated critical by Cisco. While Cisco said there are no workarounds to address the vulnerability, administrators can disable the feature. 

While CVE-2023-20026 has a lower CVSS score of 6, Cisco said it similarly allows an attacker to execute arbitrary commands on an affected device.

Cisco provided detailed advice on how administrators can disable the remote management features affected. But the company warned that while these mitigations were successful in test environments, customers "should determine the applicability and effectiveness in their own environment and under their own use conditions," the company said. "Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations.”

“Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.”

Bugcrowd founder Casey Ellis said small- and medium-sized business routers are very widely deployed and noted that in a post-COVID hybrid work-from-home world, it’s “not just an SMB problem.” 

Branch offices and even home offices are potential users of the vulnerable product, Ellis explained, adding that financially-motivated attackers and nation states would be interested because of the raw quantity of these devices that are out there. 

“On top of this, it’s an attractive target from a technical point of view. As an attacker, if you manage to get remote code execution on core routing or network infrastructure, your ability to move laterally increases exponentially,” he said. 

Vulcan Cyber’s Mike Parkin added that the kind of small businesses that would have these routers typically do not have the budget to replace them.

Even though Cisco plans to continue some form of support for the routers until January 31, 2025, Parkin urged users to replace them sooner rather than later. 

“It’s always a best practice not to allow remote administration of network devices accessible from the open internet, however, small business using some MSP/MSSPs have to leave it open for their service providers,” said Netenrich’s John Bambenek. 

“That said, this is the worst of all worlds with proof-of-concept code publicly available and no mitigations or patches available.”