The Cisco security vulnerability exists in the RV132W ADSL2+ Wireless-N VPN Routers and RV134W VDSL2 Wi-fi-AC VPN Routers.
A popular line of tiny company routers manufactured by Cisco Programs are vulnerable to a higher-severity vulnerability. If exploited, the flaw could enable a distant – albeit authenticated – attacker to execute code or restart afflicted units unexpectedly.
Cisco issued fixes on Wednesday for the flaw in its RV132W ADSL2+ Wireless-N VPN routers and RV134W VDSL2 Wireless-AC VPN routers. These routers are explained by Cisco as “networking-in-a-box” styles that are focused for small or house offices and smaller deployments.
The vulnerability (CVE-2021-1287) stems from an issue in the routers’ web-based mostly management interface. It ranks 7.2 out of 10 on the CVSS scale, creating it significant severity.
“A prosperous exploit could permit the attacker to execute arbitrary code as the root person on the underlying running process or trigger the product to reload, ensuing in a denial of support (DoS) ailment on the afflicted device,” mentioned Cisco on Wednesday.
The Cisco Router Vulnerability
The vulnerability stems from the routers’ web-based administration interface improperly validating user-provided input, said Cisco. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected product – on the other hand, of observe the attacker would need to initial be authenticated to the unit (which could be accomplished by using a phishing attack or other destructive attack, for instance).
Impacted are RV132W ADSL2+ Wi-fi-N VPN routers running a firmware release before than Launch 1..1.15 (which is set) and RV134W VDSL2 Wireless-AC VPN Routers managing a firmware launch previously than Launch 1..1.21 (the mounted edition). Shizhi He of Wuhan University was credited with reporting the flaw.
“The Cisco Product Security Incident Response Group (PSIRT) is not aware of any public bulletins or malicious use of the vulnerability that is described in this advisory,” claimed Cisco.
Cisco Flaws: Patches Issued This Year
The patch is only the newest from Cisco this 12 months. In February, Cisco rolled out fixes for critical holes in its lineup of small-business enterprise VPN routers, which could be exploited by unauthenticated, distant attackers to watch or tamper with data, and execute other unauthorized steps on the routers.
In 2021, Cisco also patched various vulnerabilities throughout its products lineup, including multiple, critical vulnerabilities in its computer software-described networking for vast-spot networks (SD-WAN) methods for enterprise end users, and a superior-severity flaw in its smart Wi-Fi solution for retailers that could allow for a distant attacker to change the password of any account user on affected systems.
Check out our free upcoming stay webinar events – unique, dynamic conversations with cybersecurity authorities and the Threatpost local community:
- March 24: Economics of -Working day Disclosures: The Great, Negative and Unsightly (Find out more and sign-up!)
- April 21: Underground Marketplaces: A Tour of the Dark Economic climate (Find out far more and sign up!)
Some pieces of this report are sourced from: