As reported by BleepingComputer, the company recently discovered a vulnerability revolving around insufficient user input validation of incoming HPPT packets. By sending a “specially crafted request” to the web-based management interface of these devices, an attacker could end up with root-level privileges. Essentially, they’d be getting free access to the endpoint (opens in new tab).
Tracked as CVE-2022-20825, the flaw has a severity score of 9.8, so it’s pretty dangerous. It was found in four models: the RV110W Wireless-N VPN Firewall, the RV130 VPN Router, the RV130W Wireless-N Multifunction VPN Router, and the RV215W Wireless-N VPN Router.
End of life
These models, however, have reached end-of-life status and as such will not be patched.
A small caveat is that the web-based remote management interface on WAN connections needs to be enabled for the flaw to be exploitable, and by default, it’s not. Still, many exposed devices can be found with a quick Shodan search.
To double-check if your routers have this feature enabled, log into the web-based management interface, and head over to Basic Settings – Remote Management, and uncheck the box. Furthermore, this is the only way to mitigate the threat, and users are advised to do that before moving on to newer models. Cisco was said to be “actively supporting” models RV132W, RV160, and RV160W.
RV160, together with RV260, RV340, and RV345, recently received a patch for five vulnerabilities with a 10/10 severity rating. Among the possibilities for malicious actors exploiting these flaws are arbitrary code and command execution, elevation of privileges, running unsigned software, circumventing authentication, and assimilating the devices into a botnet for Distributed Denial of Service (DDoS) attacks.
To shield against cyberattacks of all kinds, businesses are advised to keep hardware and software up to date, run an antivirus and firewall (opens in new tab) solution, and educate employees on the dangers of phishing and ransomware.