Security News > 2022 > June > Cisco says it won’t fix zero-day RCE in end-of-life VPN routers
Cisco advises owners of end-of-life Small Business RV routers to upgrade to newer models after disclosing a remote code execution vulnerability that will not be patched.
According to a Cisco security advisory, the flaw exists due to insufficient user input validation of incoming HTTP packets on the impacted devices.
To determine whether remote management is enabled, admins should log in to the web-based management interface, navigate to "Basic Settings > Remote Management," and verify the state of the relevant check box.
Users are advised to apply the configuration changes until they migrate to Cisco Small Business RV132W, RV160, or RV160W Routers, which the vendor actively supports.
Cisco warned last year that admins should upgrade to newer models after disclosing that they would not fix a critical vulnerability in Universal Plug-and-Play service.
This week, Cisco patched a critical vulnerability in Cisco Secure Email that could allow attackers to bypass authentication and login into the web management interface of the Cisco email gateway.
News URL
Related news
- D-Link urges users to retire VPN routers impacted by unfixed RCE flaw (source)
- Cisco fixes VPN DoS flaw discovered in password spray attacks (source)
- New Cisco ASA and FTD features block VPN brute-force password attacks (source)
- Palo Alto Networks warns of critical RCE zero-day exploited in attacks (source)
- Chinese hackers exploit Fortinet VPN zero-day to steal credentials (source)
- D-Link tells users to trash old VPN routers over bug too dangerous to identify (source)