Cisco warns it won't fix critical flaw in small business routers despite known exploit

Software support ended in 2021, so we’re relying on SMBs knowing how to block ports

Cisco "has not and will not release software updates" to address a critical flaw in four small business routers, despite having spotted proof of concept code for an exploit.

The networking giant on Wednesday advised that its model RV016, RV042, RV042G, and RV082 routers are subject to CVE-2023-20025 – a critical-rated authentication bypass vulnerability – as well as the medium-severity rated remote command execution vulnerability CVE-2023-20026.

CVE-2023-20025 could allow an unauthenticated remote attacker to bypass authentication on an affected device, thanks to improper validation of user input within incoming HTTP packets.

"An attacker could exploit this vulnerability by sending a crafted HTTP request to the web-based management interface. A successful exploit could allow the attacker to bypass authentication and gain root access on the underlying operating system," Cisco's warning states.

CVE-2023-20026 is also an HTTP validation problem, but can only be triggered when attackers possess valid administrative credentials for the affected device.

Cisco won't update the devices, for two reasons.

One is that disabling remote management and blocking access to ports 443 and 60443 is a workaround that prevents exploitation of the flaws.

The other is that the devices have reached end of life. Cisco ended support for the RV082 and RV016 in 2021, and software maintenance ended for the RV042 and RV042G in the same year – but the hardware will be supported until 2025.

Now for the tricky part: Cisco is "aware that proof-of-concept exploit code is available for the vulnerabilities that are described in this advisory" but "is not aware of any malicious use of the vulnerabilities that are described in this advisory."

But given that criminals routinely hunt for easy-to-attack platforms, it surely won't be long before someone attempts to exploit these vulnerabilities.

Security experts often tell The Register that small businesses are not renowned for their infosec capabilities or diligence. So while the fix is relatively trivial for a technical user, many actual owners of these machines will have no idea how to block access to ports 443 and 60443. That is, if they even receive news of the flaws.

Throw in the fact that small routers often just work for years at a time without intervention, and it is almost certain some of these devices are ripe for attack – and will be for the foreseeable future. ®

Send us news

Google Cloud shows it can break things for lots of customers – not just one at a time

Deleted about 40 networks that services needed, causing late Thursday fun

Starlink offers 'unusually hostile environment' to TCP

Hopping satellites every 15 seconds will do that to a protocol, natch

With ransomware whales becoming so dominant, would-be challengers ask 'what's the point?'

Fewer rivals on the scene as big-gang success soars

Google takes shots at Microsoft for shoddy security record with enterprise apps

Also, feds who switch to Google Workspace for 3 years get an extra year for free

Nissan infosec in the spotlight again after breach affecting more than 50K US employees

PLUS: Connected automakers put on notice; Cisco Talos develops macOS fuzzing technique; Last week's critical vulns

Three cuffed for 'helping North Koreans' secure remote IT jobs in America

Your local nail tech could be a secret agent for Kim’s cunning plan

NYSE parent gets $10M wrist tap for failing to report 2021 systems break-in

Intercontinental Exchange's Q1 revenue exceeded $1B – that'll sure teach 'em

Big Tech is not much help when fighting a junta, and FOSS doesn't ride to the rescue

Opponents of Myanmar’s internet-nobbling military government don't like when Facebook asks for their real names

NCSC CTO: Broken market must be fixed to usher in new tech

It may take ten years but vendors must be held accountable for the vulnerabilities they introduce

TR-069, a protocol that made broadband manageable, turns 20. What's coming next?

In less than 13 minutes, we'll get you up to speed on USP

LockBit dethroned as leading ransomware gang for first time post-takedown

Rivals ready to swoop in but drop in overall attacks illustrates LockBit’s influence

John Deere now considers VMs to be legacy tech, Ethernet and Wi-Fi on the brink

Plans robo-tractors to help as folks flee the farm but the planet stays hungry