Cisco isn’t planning on resolving a recently discovered vulnerability in its VPN router models for SMBs. The organization said the models reached end-of-life (EoL) status and won’t be updated as a result.

The vulnerability (CVE-2022-20923) was found in the RV110W, RV130, RV130W and RV215W. According to Cisco, the models reached end-of-life status near the end of 2019. The organization refuses to provide further software updates. Customers using the routers are advised to upgrade to newer models.

Authentication algorithms can be abused

The vulnerability is caused by an incorrect password validation algorithm. Hackers can abuse the algorithm to log into the VPN environment of vulnerable devices. The process involves using crafted login credentials with the IPsec VPN Server functionality turned on.

If successful, hackers can bypass authentication and access the IPsec VPN network. Hackers can also gain administrator privileges based on the crafted credentials.

Mitigation

Disabling the IPsec VPN Server functionality can minimize the risk. Administrators can determine whether the functionality is enabled in the web interface (VPN > IPSec VPN Server > Setup). According to Cisco, the vulnerability has not yet been exploited by cybercriminals.

Tip: Cisco router vulnerabilities bring broad risks to SMB customers