Cisco revealed that security updates released in January to address vulnerabilities in Small Business RV320 and RV325 routers were not complete. The tech giant also confirmed that the flaws have been exploited in attacks in the wild.
In January, the tech giant addressed two serious issues in Cisco’s Small Business RV320 and RV325 routers. The first one could be exploited by a remote and unauthenticated attacker with admin privileges to obtain sensitive information (CVE-2019-1653), while the second one can be exploited for command injection (CVE-2019-1652).
Chaining the two flaws it is possible to take over the Cisco RV320 and RV325 routers, the hackers exploit the bugs to obtain hashed passwords for a privileged account and run arbitrary commands as root.
After Cisco released security patches, hackers started exploiting the flaws in the routers. After the disclosure of proof-of-exploit code for security flaws in Cisco RV320 and RV325 routers, hackers started scanning the Internet for vulnerable devices in an attempt to take compromise them.
Searching on Shodan for vulnerable Cisco RV320 and RV325 routers it is possible to find tens of thousands of devices online.
The popular expert Troy Mursch, chief research officer at Bad Packets, searched for vulnerable systems using the BinaryEdge search engine and found 9,657 devices exposed online (6,247 Cisco RV320 routers and 3,410, are Cisco RV325 routers).
Unfortunately, the fixes were incomplete allowing threat actors to continue to exploit them in
“The initial fix for this vulnerability was found to be incomplete. Cisco is currently working on a complete fix,” reads the security advisory published by Cisco.. “Firmware updates that address this vulnerability are not currently available. There are no workarounds that address this vulnerability.”