Security News > 2022 > September > Dump these small-biz routers, says Cisco, because we won't patch their flawed VPN
Cisco patched three security vulnerabilities in its products this week, and said it will leave unpatched a VPN-hijacking flaw that affects four small business routers.
Cisco said its Product Security Incident Response Team has not seen any public disclosures about the vulnerability nor evidence that any cybercriminal has exploited the flaw.
Two of the vulnerabilities Cisco has patched carried severity ratings of "High."
"If an error condition is observed on the device interface, the device may either reload or fail to receive traffic, resulting in a denial of service condition," Cisco wrote in its advisory.
Another high-severity vulnerability that Cisco patched affected the binding configuration of Cisco Software-Defined WAN containers that would enable an unauthenticated and adjacent attacker who has access to the VPN0 logical network to also access the messaging service ports on vulnerable systems.
PSIRT said it found no announcements or exploitation of either flaw, though the unit knows that proof-of-concept exploit code is available to cybercriminals for the one in Nvidia's MLNX DPDK. In addition, Cisco issued a patch for a vulnerability in the Webex App that could allow an unauthenticated remote attacker to modify links or other content in the messaging interface, which could lead to phishing or spoofing attacks.
News URL
https://go.theregister.com/feed/www.theregister.com/2022/09/08/cisco_routers_vulnerability/