Security News > 2022 > June > Cisco says it won’t fix zero-day RCE in end-of-life VPN routers
Cisco advises owners of end-of-life Small Business RV routers to upgrade to newer models after disclosing a remote code execution vulnerability that will not be patched.
According to a Cisco security advisory, the flaw exists due to insufficient user input validation of incoming HTTP packets on the impacted devices.
To determine whether remote management is enabled, admins should log in to the web-based management interface, navigate to "Basic Settings > Remote Management," and verify the state of the relevant check box.
Users are advised to apply the configuration changes until they migrate to Cisco Small Business RV132W, RV160, or RV160W Routers, which the vendor actively supports.
Cisco warned last year that admins should upgrade to newer models after disclosing that they would not fix a critical vulnerability in Universal Plug-and-Play service.
This week, Cisco patched a critical vulnerability in Cisco Secure Email that could allow attackers to bypass authentication and login into the web management interface of the Cisco email gateway.
News URL
Related news
- New Cleo zero-day RCE flaw exploited in data theft attacks (source)
- New Mirai botnet targets industrial routers with zero-day exploits (source)
- Zero-Day Vulnerability in Ivanti VPN (source)
- Unsecured Tunneling Protocols Expose 4.2 Million Hosts, Including VPNs and Routers (source)
- Hackers Exploit Zero-Day in cnPilot Routers to Deploy AIRASHI DDoS Botnet (source)
- SonicWall warns of SMA1000 RCE flaw exploited in zero-day attacks (source)