- 5 easy ways to transfer photos from your Android device to your Windows PC
- How to get Google's new Pixel 9a for free
- Just installed iOS 18.4? Changing these 3 features made my iPhone much better to use
- 7 strategic insights business and IT leaders need for AI transformation in 2025
- The most underrated robot vacuum I've ever tested is now 60% off
Cisco Warns of Critical Vulnerability in End-of-Life Routers
Cisco has warned customers of a critical authentication bypass vulnerability with public exploit code affecting multiple end-of-life (EoL) VPN routers.
The security flaw (tracked CVE-2023-20025) has been found in the web-based management interface of Cisco Small Business (SMB) RV016, RV042, RV042G and RV082 routers provided by Hou Liuyang of Qihoo 360 Netlab.
“[These vulnerabilities] could allow a remote attacker to bypass authentication or execute arbitrary commands on the underlying operating system of an affected device,” Cisco wrote.
According to Bugcrowd CTO Casey Ellis, SMB routers are widely deployed, and in a post-COVID hybrid/work-from-home world, the new Cisco vulnerability could impact thousands of devices.
“Branch offices, [common operating environments], and even home offices are potential users of the vulnerable product,” Ellis explained.
“Financially motivated attackers would be interested because of the raw quantity of these devices that are out there, and nation-states would likely pay attention because of the size and criticality of potential users.”
Further, the executive believes the vulnerability is also an attractive target from a technical point of view.
“As an attacker, if you manage to get RCE [remote code execution] on core routing or network infrastructure, your ability to move laterally increases exponentially.”
Mike Parkin, a senior technical engineer at Vulcan Cyber, echoed Ellis’ point, adding that the models affected by these vulnerabilities still see reasonably widespread usage, though they are all officially EoL.
“The challenge will be that these devices are typically found in small businesses with limited resources or used by individuals who may not have the budget to replace them,” Parkin warned.
“Unfortunately for them, Cisco is not going to fix this, so anyone who still has one of these in service should strongly consider replacing them with a newer kit sooner rather than later.”
Cisco confirmed it had not released software updates to address the vulnerabilities and that no workarounds address these vulnerabilities.
The flaw comes weeks after Krishna C. Tata, manager of security risk and architecture at Cisco, discussed the challenges of different security compliance frameworks.
