Vulnerability in Cisco Small Business RV016, RV042, RV042G, and RV082 Routers Exposed to Remote Command Execution
Enterprotect is issuing a threat advisory regarding a vulnerability in Cisco Small Business RV016, RV042, RV042G, and RV082 routers. The vulnerability, which is a result of a security exploit chain, allows attackers to bypass authentication and execute arbitrary commands on the underlying operating system of the routers.
What is the Threat?
The threat is a remote command execution exploit chain that allows attackers to bypass authentication (CVE-2023-20025) and execute arbitrary commands (CVE-2023-2002) on the underlying operating system of Cisco Small Business RV016, RV042, RV042G, and RV082 routers. This exploit can be executed remotely via specially crafted HTTP requests sent to the vulnerable routers' web-based management interface.
Vulnerable routers distribution worldwide (Censys)
Why is it Noteworthy?
Cisco has rated the vulnerability as critical, and there is proof-of-concept exploit code available in the wild. Despite this, Cisco has not released software updates to address the vulnerability. As a result, there are currently over 19,000 end-of-life Cisco VPN routers on the Internet that are exposed to this exploit.
What is the Exposure or Risk?
The exposure or risk is that unauthenticated attackers can exploit this vulnerability to gain root access to the routers. This could allow attackers to gain unauthorized access to sensitive information, disrupt network operations, or even launch further attacks on connected systems.
What are the Recommendations?
Since Cisco has not released software updates to address the vulnerability, users should take steps to secure their devices from attacks. This can be done by disabling the web-based management interface and blocking access to ports 443 and 60443 to thwart exploitation attempts. To do this, users should log into each vulnerable router's web-based management interface, go to Firewall > General, and uncheck the Remote Management check box. Cisco also provides detailed instructions on blocking access to ports 443 and 60443.
Users can also consider migrating to newer router models, such as the RV132W, RV160, or RV160W routers, which are still under support.
References
BleepingComputer, "Cisco Won't Patch Critical Auth Bypass Flaw Impacting EOL Routers," January 14, 2023
Censys, "Cisco RV016, RV042, RV042G, and RV082 Vulnerability Search," January 14, 2023, https://censys.io/ipv4?q=%22RV016%22%20OR%20%22RV042%22%20OR%20%22RV042G%22%20OR%20%22RV082%22&search_type=ipv4