The company is rushing to deliver fixes for its entire RV router series.
This week, Cisco disclosed 15 vulnerabilities that they have identified in their RV160, RV260, RV340, and RV345 Series routers. Cisco said it has released patches for the vulnerabilities, and that there are no workarounds for the flaws.
While the 15 vulnerabilities affect routers used by small and medium-sized businesses (SMBs), businesses large and small are intertwined from a security perspective in 2022. When an SMB doesn’t address a major security issue such as this—due, for instance, to lack of resources—this can spill over into becoming a problem for the enterprises they do business with.
The array of newly disclosed vulnerabilities in Cisco routers, including five with a “critical” severity rating, have increased cyber risk for businesses of all sizes, cybersecurity executives told VentureBeat. And three of the flaws have been awarded the highest possible severity rating—10.0.
The vulnerabilities are known as CVE-2022-20699 through CVE-2022-20712 and CVE-2022-20749.
How attackers can exploit the vulnerabilities
Nine vulnerabilities, namely CVE-2022-20699, CVE-2022-20701, CVE-2022-20707 to CVE-2022-20712 and CVE-2022-20749 only affect the router models RV340, RV340W, RV345 and RV345P. The other vulnerabilities affect the entire RV range. A bug in the SSL VPN module is what causes the vulnerability. With the help of a specially modified request, it is possible to run code with root privileges on the routers.
This means, effectively, that attackers can bypass authorization steps.
Other vulnerabilities are related to the router’s web-based management interface. Specific HTTP requests are not properly validated, so hackers don’t need to authenticate themselves. This allows Linux commands to be injected.
It can be assumed that the vulnerabilities will be exploited in practice in the near future. Demo exploits are said to exist for some of the vulnerabilities mentioned. Administrators should check whether updates are already available for their routers. While patches have already been rolled out for some vulnerabilities, Cisco has not yet closed other gaps. The updates should be delivered soon.