Security News > 2021 > August > Cisco Patches Critical Vulnerability in Small Business VPN Routers
Cisco on Wednesday announced the release of patches for a critical vulnerability in small business VPN routers that could allow unauthenticated attackers to execute arbitrary code on affected devices.
To exploit the bug, a remote, unauthenticated attacker has to send specially crafted HTTP requests to an affected device, which could allow them to execute arbitrary code or cause a denial of service condition.
CVE-2021-1610, a second vulnerability addressed in the same devices, could result in an attacker executing arbitrary commands as root.
While exploitation is similar to the critical vulnerability, authentication is required for a successful attack, which lowers the bug's severity rating to high.
The company has released patches for both issues and says that it's not aware of any malicious attacks exploiting them.
"Organizations that use these Cisco Small Business VPN routers and have exposed their management interface externally can address these flaws by patching their devices. If patching is not feasible at this time, disabling the remote management option on these devices will mitigate the flaws until patches can be applied," Narang said.
News URL
Related news
- Cisco Releases Patch for Critical URWB Vulnerability in Industrial Wireless Systems (source)
- Critical vulnerability in Cisco industrial wireless access points fixed (CVE-2024-20418) (source)
- Hackers target critical zero-day vulnerability in PTZ cameras (source)
- Cisco scores a perfect CVSS 10 with critical flaw in its wireless system (source)
- CISA Alerts to Active Exploitation of Critical Palo Alto Networks Vulnerability (source)
- Urgent: Critical WordPress Plugin Vulnerability Exposes Over 4 Million Sites (source)
- D-Link urges users to retire VPN routers impacted by unfixed RCE flaw (source)
- D-Link tells users to trash old VPN routers over bug too dangerous to identify (source)
- QNAP addresses critical flaws across NAS, router software (source)
- Hackers exploit critical bug in Array Networks SSL VPN products (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-08-04 | CVE-2021-1610 | Unspecified vulnerability in Cisco Small Business RV Series Router Firmware Multiple vulnerabilities in the web-based management interface of the Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an attacker to do the following: Execute arbitrary code Cause a denial of service (DoS) condition Execute arbitrary commands For more information about these vulnerabilities, see the Details section of this advisory. | 8.8 |