Around 19,500 end-of-life Cisco routers are exposed to hack

Researchers warn of about 19,500 end-of-life Cisco VPN routers on the Internet that are exposed to the recently disclosed RCE exploit chain.

Cisco recently warned of a critical vulnerability, tracked as CVE-2023-20025 (CVSS score of 9.0), that impacts small business RV016, RV042, RV042G, and RV082 routers. The IT giant announced that these devices will receive no security updates to address the bug because they have reached end of life (EoL).

The flaw is an authentication bypass issue that resides in the web-based management interface of the routers, an attacker. An unauthenticated, remote attacker can exploit the CVE-2023-20025 flaw to bypass authentication on vulnerable devices.

The flaw is due to improper validation of user input within incoming HTTP packets.

An attacker could trigger the flaw by sending a specially crafted HTTP request to the web-based management interface.

“A successful exploit could allow the attacker to bypass authentication and gain root access on the underlying operating system.” reads the advisory published by the company. “Cisco has not and will not release software updates that address this vulnerability. There are no workarounds that address this vulnerability.”

The communications technology firm said that there are no workarounds to fix this flaw, however, admins may disable remote management and block access to ports 443 and 60443.

Cisco also addressed a remote command execution vulnerability, tracked as CVE-2023-20026 (CVSS Score 6.5), that impacts Cisco Small Business RV016, RV042, RV042G, and RV082 Routers.

The company PSIRT confirmed the availability of proof-of-concept exploit code for these flaws.

Censys researchers have now reported that about 19.500 end-of-life Cisco devices for individuals and small businesses are exposed on the internet, which may be at risk of exploitation for the above flaws.

Over 19,000 end-of-life Cisco VPN routers on the Internet are exposed to attacks targeting a remote command execution exploit chain.

“By looking at only HTTP services that include the model numbers in either the “WWW-Authenticate” response header or an HTTPS service with a matching TLS organizational unit, Censys search results show around 20,000 hosts have indicators that they are potentially vulnerable to this attack.” reads the report published by Censys.

Most of the Internet-exposed models are RV042, with over 12k hosts exposed to the Internet.

The United States (4,594 hosts) drives the top ten countries around the world running a vulnerable Cisco device, followed by Canada (1,748 hosts), and India (1,508 hosts).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, routers)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.