Security News > 2023 > January > Cisco won’t fix router flaws even though PoC exploit is available (CVE-2023-20025, CVE-2023-20026)

Cisco won’t fix router flaws even though PoC exploit is available (CVE-2023-20025, CVE-2023-20026)
2023-01-12 10:41

Cisco has acknowledged one critical and two medium-severity vulnerabilities affecting some of its Small Business series of routers, but won't be fixing them as the devices "Have entered the end-of-life process."

Proof-of-concept exploit code for CVE-2023-20025 and CVE-2023-20026 is available online, but there is currently no indication of any of these flaws being exploited by attackers.

CVE-2023-20025 is an authentication bypass vulnerability in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, and RV082 VPN routers.

CVE-2023-20045 is a RCE flaw in the web-based management interface of Cisco Small Business RV160 and RV260 Series VPN routers, and also requires successful authentication before exploitation.

In RV160 and RV260 devices, the vulnerable web-based management interface is available through local LAN connections by default and can be made available through the WAN interface.

Cisco naturally prefer admins to go for the latter option when products stop being supported.


News URL

https://www.helpnetsecurity.com/2023/01/12/cve-2023-20025-cve-2023-20026/

Related news

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-01-20 CVE-2023-20045 Improper Input Validation vulnerability in Cisco products
A vulnerability in the web-based management interface of Cisco Small Business RV160 and RV260 Series VPN Routers could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. This vulnerability is due to insufficient validation of user input.
network
low complexity
cisco CWE-20
7.2
7.2
2023-01-20 CVE-2023-20026 Improper Input Validation vulnerability in Cisco products
A vulnerability in the web-based management interface of Cisco Small Business Routers RV042 Series could allow an authenticated, remote attacker to inject arbitrary commands on an affected device. This vulnerability is due to improper validation of user input fields within incoming HTTP packets.
network
low complexity
cisco CWE-20
7.2
7.2
2023-01-20 CVE-2023-20025 Improper Input Validation vulnerability in Cisco products
A vulnerability in the web-based management interface of Cisco Small Business RV042 Series Routers could allow an unauthenticated, remote attacker to bypass authentication on the affected device. This vulnerability is due to incorrect user input validation of incoming HTTP packets.
network
low complexity
cisco CWE-20
critical
 9.8
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Cisco 2046 21 1771 1669 288 3749