Cisco fixes critical remote code execution issues in SMB VPN routers

Pierluigi Paganini February 04, 2021

Cisco addressed multiple pre-auth remote code execution (RCE) flaws in small business VPN routers that allow executing arbitrary code as root.

Cisco has fixed several pre-auth remote code execution (RCE) issues in multiple small business VPN routers. The flaws could be exploited by unauthenticated, remote attackers to execute arbitrary code as root on vulnerable devices.

The flaws (CVE-2021-1289, CVE-2021-1290, CVE-2021-1291, CVE-2021-1292, CVE-2021-1293, CVE-2021-1294, CVE-2021-1295) have received a CVSS score of 9.8/10.

The flaws reside in the web-based management interface of Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers 

“Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers could allow an unauthenticated, remote attacker to execute arbitrary code as the root user on an affected device.” reads the advisory published by Cisco.

“These vulnerabilities exist because HTTP requests are not properly validated. An attacker could exploit these vulnerabilities by sending a crafted HTTP request to the web-based management interface of an affected device. A successful exploit could allow the attacker to remotely execute arbitrary code on the device.”

The IT giant revealed that the vulnerabilities affect the following Cisco Small Business Routers if they are running a firmware release earlier than Release 1.0.01.02:

  • RV160 VPN Router
  • RV160W Wireless-AC VPN Router
  • RV260 VPN Router
  • RV260P VPN Router with POE
  • RV260W Wireless-AC VPN Router

while the following devices are not affected:

  • RV340 Dual WAN Gigabit VPN Router
  • RV340W Dual WAN Gigabit Wireless-AC VPN Router
  • RV345 Dual WAN Gigabit VPN Router
  • RV345P Dual WAN Gigabit POE VPN Router

Cisco has addressed the flaw with the release of firmware version 1.0.01.02 and later, the vendor added that there are no workarounds that address these vulnerabilities.

The good news is that Cisco Product Security Incident Response Team (PSIRT) is not aware of attacks in the wild exploiting the above vulnerabilities.

The vulnerabilities were reported to Cisco by T. Shiomitsu from Trend Micro Zero Day, swings of Chaitin Security Research Lab, and simp1e of 1AQ Team.

Cisco today has also addressed high severity vulnerabilities impacting other business routers and the IOS XR software.

Last month, Cisco has also patched several pre-auth RCE vulnerabilities affecting multiple SD-WAN products and the Cisco Smart Software Manager software.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, VPN routes)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment