A zero-day vulnerability with a critical 9.8/10 severity rating has been identified in four Cisco Small Business RV Series Routers. These vulnerable products are RV110W Wireless-N VPN Firewall, RV130 VPN Router, RV130W Wireless-N Multifunction VPN Router, and RV215W Wireless-N VPN Router. These routers are listed as end-of-life products, and so Cisco have stated that they will not be providing any software updates to patch this vulnerability.
The vulnerability tracked as CVE-2022-20825 is primarily a remote code execution flaw, which when exploited allows the attackers to run commands on the affected device with root-level privileges. Attackers can also trigger a denial-of-service attack by causing the device to restart unexpectedly. The flaw in these devices is due to incorrect validation of user input of incoming HTTP packets. This allows the attacker to send specifically made requests to the web-based management interface. Although no workarounds exist to address this, it is possible to prevent these devices from being connected to the web-based management interface by disabling the remote management feature. This is only applicable to devices using WAN, as the web-based management interface connection cannot be disabled through a LAN connection.
These devices have been end-of-life since last year, when Cisco first recommended to customers that an upgrade was necessary, as they would not be releasing a patch for another critical vulnerability. Tracked as CVE-2021-34730, that remote code execution vulnerability affects the Universal Plug-and-Play (UPNP) service, where attackers can once again execute code as the root user on the system. They can also perform a denial-of-service attack with this vulnerability in the same way as with the newly identified flaw.
Using end-of-life devices is always a security risk, as once the developer stops supporting the products vulnerabilities such as this one remain unpatched forever – and as time passes it is more likely that further security flaws will be discovered in the code. Cisco recommends any users of the affected devices upgrade to Cisco Small Business RV132W, RV160, or RV160W Routers.