Security News > 2021 > August > Cisco won’t fix zero-day RCE vulnerability in end-of-life VPN routers
In a security advisory published on Wednesday, Cisco said that a critical vulnerability in Universal Plug-and-Play service of multiple small business VPN routers will not be patched because the devices have reached end-of-life.
"The Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers have entered the end-of-life process."
According to an announcement on Cisco's website, the last day these RV Series routers were available for order was December 2, 2019.
The company asks customers who are still using these router models to migrate to newer Cisco Small Business RV132W, RV160, or RV160W Routers that still receive security updates.
The company also released a patch for another zero-day vulnerability in the Cisco AnyConnect Secure Mobility Client VPN software six months after initial disclosure, even though it was aware of publicly available proof-of-concept exploit code.
Even though Cisco did not share the reason behind the delay, a fix was likely not a priority because there was no evidence of in the wild abuse and default configurations were not vulnerable to attacks.
News URL
Related news
- Zero-Day Vulnerability in Ivanti VPN (source)
- New Cleo zero-day RCE flaw exploited in data theft attacks (source)
- Apache Tomcat Vulnerability CVE-2024-56337 Exposes Servers to RCE Attacks (source)
- New Mirai botnet targets industrial routers with zero-day exploits (source)
- Mirai Botnet Variant Exploits Four-Faith Router Vulnerability for DDoS Attacks (source)
- Unsecured Tunneling Protocols Expose 4.2 Million Hosts, Including VPNs and Routers (source)
- Hackers Exploit Zero-Day in cnPilot Routers to Deploy AIRASHI DDoS Botnet (source)
- Cisco fixes ClamAV vulnerability with available PoC and critical Meeting Management flaw (source)
- Custom Backdoor Exploiting Magic Packet Vulnerability in Juniper Routers (source)
- SonicWall warns of SMA1000 RCE flaw exploited in zero-day attacks (source)