Security News > 2022 > September > Cisco won’t fix authentication bypass zero-day in EoL routers
Cisco says that a new authentication bypass flaw affecting multiple small business VPN routers will not be patched because the devices have reached end-of-life.
"A successful exploit could allow the attacker to bypass authentication and access the IPSec VPN network," Cisco explained in a security advisory issued on Wednesday.
Cisco asked customers still using the RV110W, RV130, RV130W, and RV215W routers affected by this security vulnerability to upgrade to newer models still receiving security updates.
According to an end-of-sale announcement on Cisco's website, the last day these RV Series routers were available for order was December 2, 2019.
"Customers are encouraged to migrate to Cisco Small Business RV132W, RV160, or RV160W Routers."
CVE-2022-20923 is not the first severe security vulnerability affecting these EoL router models that Cisco left unpatched in recent years.
News URL
Related news
- ArcaneDoor hackers exploit Cisco zero-days to breach govt networks (source)
- Hackers backdoored Cisco ASA devices via two zero-days (CVE-2024-20353, CVE-2024-20359) (source)
- State-Sponsored Hackers Exploit Two Cisco Zero-Day Vulnerabilities for Espionage (source)
- Week in review: Two Cisco ASA zero-days exploited, MITRE breach, GISEC Global 2024 (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-09-08 | CVE-2022-20923 | Improper Authentication vulnerability in Cisco products A vulnerability in the IPSec VPN Server authentication functionality of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an unauthenticated, remote attacker to bypass authentication controls and access the IPSec VPN network. | 9.8 |