Cisco says customers using its small business routers should upgrade the firmware to fix vulnerabilities that could give remote attackers access as the root user on an affected device.
According to Cisco, there are multiple vulnerabilities in the web-based management interface of its Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers that “could allow an unauthenticated, remote attacker to execute arbitrary code as the root user on an affected device.”
The vulnerabilities are given a “critical” designation and were first published on Feb. 3. They are tracked as CVE-2021-1289, CVE-2021-1290, CVE-2021-1291, CVE-2021-1292, CVE-2021-1293, CVE-2021-1294 andCVE-2021-1295.
Cisco assigned the vulnerabilities a base score of 9.8.
“These vulnerabilities exist because HTTP requests are not properly validated,” the advisory says. “An attacker could exploit these vulnerabilities by sending a crafted HTTP request to the web-based management interface of an affected device. A successful exploit could allow the attacker to remotely execute arbitrary code on the device.”
The small business routers affected, if running firmware earlier than Release 1.0.01.02, include these products:
- RV160 VPN Router
- RV160W Wireless-AC VPN Router
- RV260 VPN Router
- RV260P VPN Router with POE
- RV260W Wireless-AC VPN Router
There are no workarounds for these vulnerabilities, so customers are advised to download the free software upgrade to patch these vulnerabilities and prevent an attacker from exploiting them.
On the same day, the company also said its Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers contained vulnerabilities that could allow a remote attacker to conduct directory traversal attacks and overwrite certain files that should be restricted on an affected system.
Those were labeled as “high” and given a base score of 7.5.
For more information on these and other vulnerabilities with Cisco products and how to patch them, visit the company’s security advisory website.