Security News > 2021 > August > Cisco Issues Critical Security Patches to Fix Small Business VPN Router Bugs
Networking equipment major Cisco has rolled out patches to address critical vulnerabilities impacting its Small Business VPN routers that could be abused by a remote attacker to execute arbitrary code and even cause a denial-of-service condition.
The issues, tracked as CVE-2021-1609 and CVE-2021-1610, reside in the web-based management interface of the Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers running a firmware release prior to version 1.0.03.22.
Also addressed by Cisco is a high-severity remote code execution bug impacting Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers that could be leveraged by an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device.
Small Business RV Series Routers running firmware versions earlier than 1.0.01.04 are susceptible.
"A successful exploit could allow the attacker to execute arbitrary commands on an affected device using root-level privileges. Due to the nature of the vulnerability, only commands without parameters can be executed."
CVE-2021-1602 marks the second time Cisco has fixed critical remote code execution flaws concerning the same set of VPN appliances.
News URL
Related news
- CISA Warns of Critical Fortinet Flaw as Palo Alto and Cisco Issue Urgent Security Patches (source)
- MFA bypass becomes a critical security issue as ransomware tactics advance (source)
- HPE patches three critical security holes in Aruba PAPI (source)
- DrayTek fixed critical flaws in over 700,000 exposed routers (source)
- Two simple give-me-control security bugs found in Optigo network switches used in critical manufacturing (source)
- Cisco fixes VPN DoS flaw discovered in password spray attacks (source)
- New Cisco ASA and FTD features block VPN brute-force password attacks (source)
- Cisco Releases Patch for Critical URWB Vulnerability in Industrial Wireless Systems (source)
- Critical vulnerability in Cisco industrial wireless access points fixed (CVE-2024-20418) (source)
- Cisco scores a perfect CVSS 10 with critical flaw in its wireless system (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-08-04 | CVE-2021-1610 | Unspecified vulnerability in Cisco Small Business RV Series Router Firmware Multiple vulnerabilities in the web-based management interface of the Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an attacker to do the following: Execute arbitrary code Cause a denial of service (DoS) condition Execute arbitrary commands For more information about these vulnerabilities, see the Details section of this advisory. | 8.8 |
| 2021-08-04 | CVE-2021-1609 | Unspecified vulnerability in Cisco Small Business RV Series Router Firmware Multiple vulnerabilities in the web-based management interface of the Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an attacker to do the following: Execute arbitrary code Cause a denial of service (DoS) condition Execute arbitrary commands For more information about these vulnerabilities, see the Details section of this advisory. | 9.8 |
| 2021-08-04 | CVE-2021-1602 | OS Command Injection vulnerability in Cisco Small Business RV Series Router Firmware 1.0.0.30/1.0.0.33/1.0.1.3 A vulnerability in the web-based management interface of Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. | 9.8 |