Security

Cisco will not release updates to fix critical RCE flaw in EoF Business Routers

Cisco announced it will not release security updates to address a critical security vulnerability affecting some of its Small Business routers.

Cisco is urging customers that are using some of its Small Business routers to replace their devices because they will no longer receive security updates.

According a security advisory published by the company, Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers are affected by Remote Command Execution vulnerability that resides in the Management Interface.

The vulnerability is caused by the improper validation of user-supplied input in the web-based management interface.

The flaw, tracked as CVE-2021-1459, has been rated with a CVSS score of 9.8 out of 10.

“A vulnerability in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.” reads the advisory published by the tech giant. “The vulnerability is due to improper validation of user-supplied input in the web-based management interface.”

An attacker could exploit the vulnerability by sending crafted HTTP requests to a targeted device. The issue could allow attackers to execute arbitrary code as the root user on the underlying operating system of the affected device.

The company has not released security updates to address this flaw, the company pointed out that there are no workarounds that fix this vulnerability.

The flaw affects the following Cisco Small Business RV Series Routers:

  • RV110W Wireless-N VPN Firewall
  • RV130 VPN Router
  • RV130W Wireless-N Multifunction VPN Router
  • RV215W Wireless-N VPN Router

“Cisco has not released and will not release software updates to address the vulnerability described in this advisory. The Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers have entered the end-of-life process. Customers are advised to refer to the end-of-life notices for these products:

End-of-Sale and End-of-Life Announcement for the Cisco Small Business RV Series Routers (selected models)” continues the report.”Customers are encouraged to migrate to the Cisco Small Business RV132W, RV160, or RV160W Routers.”“” “

The vulnerability was discovered by the security researcher Treck Zhou.

The Cisco Product Security Incident Response Team (PSIRT) confirmed that it is not aware of any public announcements or malicious use of the above vulnerability.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Cisco)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

4G Calling (VoLTE) flaw allowed to locate any O2 customer with a phone call

A flaw in O2 4G Calling (VoLTE) leaked user location data via network responses due…

7 hours ago

China-linked UnsolicitedBooker APT used new backdoor MarsSnake in recent attacks

China-linked UnsolicitedBooker used a new backdoor, MarsSnake, to target an international organization in Saudi Arabia.…

13 hours ago

UK’s Legal Aid Agency discloses a data breach following April cyber attack

The UK’s Legal Aid Agency suffered a cyberattack in April and has now confirmed that…

16 hours ago

Sarcoma Ransomware Unveiled: Anatomy of a Double Extortion Gang

Cybersecurity Observatory of the Unipegaso's malware lab published a detailed analysis of the Sarcoma ransomware.…

18 hours ago

Mozilla fixed zero-days recently demonstrated at Pwn2Own Berlin 2025

Mozilla addressed two critical Firefox vulnerabilities that could be potentially exploited to access sensitive data…

1 day ago

Japan passed a law allowing preemptive offensive cyber actions<gwmw style="display:none;"></gwmw>

Japan passed a law allowing preemptive offensive cyber actions, shifting from its pacifist stance to…

2 days ago