Cisco warns it won't fix critical flaw in small business routers despite known exploit

Software support ended in 2021, so we’re relying on SMBs knowing how to block ports

Cisco "has not and will not release software updates" to address a critical flaw in four small business routers, despite having spotted proof of concept code for an exploit.

The networking giant on Wednesday advised that its model RV016, RV042, RV042G, and RV082 routers are subject to CVE-2023-20025 – a critical-rated authentication bypass vulnerability – as well as the medium-severity rated remote command execution vulnerability CVE-2023-20026.

CVE-2023-20025 could allow an unauthenticated remote attacker to bypass authentication on an affected device, thanks to improper validation of user input within incoming HTTP packets.

"An attacker could exploit this vulnerability by sending a crafted HTTP request to the web-based management interface. A successful exploit could allow the attacker to bypass authentication and gain root access on the underlying operating system," Cisco's warning states.

CVE-2023-20026 is also an HTTP validation problem, but can only be triggered when attackers possess valid administrative credentials for the affected device.

Cisco won't update the devices, for two reasons.

One is that disabling remote management and blocking access to ports 443 and 60443 is a workaround that prevents exploitation of the flaws.

The other is that the devices have reached end of life. Cisco ended support for the RV082 and RV016 in 2021, and software maintenance ended for the RV042 and RV042G in the same year – but the hardware will be supported until 2025.

Now for the tricky part: Cisco is "aware that proof-of-concept exploit code is available for the vulnerabilities that are described in this advisory" but "is not aware of any malicious use of the vulnerabilities that are described in this advisory."

But given that criminals routinely hunt for easy-to-attack platforms, it surely won't be long before someone attempts to exploit these vulnerabilities.

Security experts often tell The Register that small businesses are not renowned for their infosec capabilities or diligence. So while the fix is relatively trivial for a technical user, many actual owners of these machines will have no idea how to block access to ports 443 and 60443. That is, if they even receive news of the flaws.

Throw in the fact that small routers often just work for years at a time without intervention, and it is almost certain some of these devices are ripe for attack – and will be for the foreseeable future. ®

Send us news

Switchzilla revisits training and cert tools with looming debut of 'Cisco U.'

Some training in refreshed certification platform to be free, including short how-to vids

Alert: Crims hijack these DrayTek routers to attack biz

Workaround: Throw away kit? Hope there's a patch?

CISA joins forces with Women in CyberSecurity to break up the boy's club

Also, the FBI just admitted to bypassing warrants by buying cellphone location data, and this week's actionable items

UK watchdog still not ruled on Openreach wholesale fiber discounts

Rival network operators champing at the bit amid claims dominant former state firm's undercutting them

Zoll Medical says intruders had 1M+ patient, staff records at their fingertips

Names, addresses, SSNs all up for grabs

BianLian ransomware crew goes 100% extortion after free decryptor lands

No good deed goes unpunished, or something like that

Germany clocks that ripping out Huawei, ZTE network kit won't be cheap or easy

More than half of Euro nation's infrastructure would have to go

Refreshed from its holiday, Emotet has gone phishing

Notorious botnet starts spamming again after a three-month pause

Cloud, datacenter vendors muscle in on traditional telco territory at MWC

Join us in the 'new world of opportunity' says GSMA chief

Where are the women in cyber security? On the dark side, study suggests

Also, Royal ransomware metastasizes to other critical sectors, and this week's critical vulnerabilities

Windows 11 puts 'disgusting' Remote Mailslots protocol out of its misery

It's simple, unreliable, insecure, and on its way out

Privacy fail: Pictures cropped, redacted by Google Pixel phones can be recovered

aCropalypse Now, starring any 2018-or-later device