Cisco will not fix a critical bug in older routers

Cisco developers announced this week that they will not be fixing a critical bug in VPN routers that have already been discontinued. An RCE vulnerability was discovered in the UPnP service of a number of older VPN routers for small businesses.

An unauthenticated attacker can exploit a bug to restart vulnerable devices or remotely execute arbitrary code by gaining root privileges in the underlying operating system.

The bug affects models RV110W, RV130, RV130W and RV215W, but only if the devices have UPnP service enabled. The developers note that UPnP is enabled by default only for LAN interfaces and disabled by default for all WAN interfaces. That is, the listed models are not considered vulnerable if the service is completely disabled on the LAN and WAN interfaces. Disabling UPnP helps protect against potential attacks.

Judging by the information from the company’s website, the last time the listed routers were available for order on December 2, 2019. The company is now asking customers who are still using these models to upgrade to new devices such as the Cisco Small Business RV132W, RV160, or RV160W, which are still receiving patches.

Cisco says that its experts are not yet aware of any available exploits for this zero-day vulnerability, or that hackers are using this error.

Let me remind you that we also wrote that Cisco warned about 0-day vulnerabilities in IOS XR and that the researcher equipped the Cisco firewall with a bug, spending only $200.