Security News > 2021 > August > Cisco won’t fix zero-day RCE vulnerability in end-of-life VPN routers

In a security advisory published on Wednesday, Cisco said that a critical vulnerability in Universal Plug-and-Play service of multiple small business VPN routers will not be patched because the devices have reached end-of-life.

"The Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers have entered the end-of-life process."

According to an announcement on Cisco's website, the last day these RV Series routers were available for order was December 2, 2019.

The company asks customers who are still using these router models to migrate to newer Cisco Small Business RV132W, RV160, or RV160W Routers that still receive security updates.

The company also released a patch for another zero-day vulnerability in the Cisco AnyConnect Secure Mobility Client VPN software six months after initial disclosure, even though it was aware of publicly available proof-of-concept exploit code.

Even though Cisco did not share the reason behind the delay, a fix was likely not a priority because there was no evidence of in the wild abuse and default configurations were not vulnerable to attacks.

News URL

https://www.bleepingcomputer.com/news/security/cisco-won-t-fix-zero-day-rce-vulnerability-in-end-of-life-vpn-routers/