- 구글 클라우드, 구글 워크스페이스용 제미나이 사이드 패널에 한국어 지원 추가
- The best MagSafe accessories of 2024: Expert tested and reviewed
- Threads will show you more from accounts you follow now - like Bluesky already does
- OpenAI updates GPT-4o, reclaiming its crown for best AI model
- Nile unwraps NaaS security features for enterprise customers
Cisco Warns of Critical Vulnerability in End-of-Life Routers
Cisco has warned customers of a critical authentication bypass vulnerability with public exploit code affecting multiple end-of-life (EoL) VPN routers.
The security flaw (tracked CVE-2023-20025) has been found in the web-based management interface of Cisco Small Business (SMB) RV016, RV042, RV042G and RV082 routers provided by Hou Liuyang of Qihoo 360 Netlab.
“[These vulnerabilities] could allow a remote attacker to bypass authentication or execute arbitrary commands on the underlying operating system of an affected device,” Cisco wrote.
According to Bugcrowd CTO Casey Ellis, SMB routers are widely deployed, and in a post-COVID hybrid/work-from-home world, the new Cisco vulnerability could impact thousands of devices.
“Branch offices, [common operating environments], and even home offices are potential users of the vulnerable product,” Ellis explained.
“Financially motivated attackers would be interested because of the raw quantity of these devices that are out there, and nation-states would likely pay attention because of the size and criticality of potential users.”
Further, the executive believes the vulnerability is also an attractive target from a technical point of view.
“As an attacker, if you manage to get RCE [remote code execution] on core routing or network infrastructure, your ability to move laterally increases exponentially.”
Mike Parkin, a senior technical engineer at Vulcan Cyber, echoed Ellis’ point, adding that the models affected by these vulnerabilities still see reasonably widespread usage, though they are all officially EoL.
“The challenge will be that these devices are typically found in small businesses with limited resources or used by individuals who may not have the budget to replace them,” Parkin warned.
“Unfortunately for them, Cisco is not going to fix this, so anyone who still has one of these in service should strongly consider replacing them with a newer kit sooner rather than later.”
Cisco confirmed it had not released software updates to address the vulnerabilities and that no workarounds address these vulnerabilities.
The flaw comes weeks after Krishna C. Tata, manager of security risk and architecture at Cisco, discussed the challenges of different security compliance frameworks.