Around 19,500 end-of-life Cisco routers are exposed to hack

Researchers warn of about 19,500 end-of-life Cisco VPN routers on the Internet that are exposed to the recently disclosed RCE exploit chain.

Cisco recently warned of a critical vulnerability, tracked as CVE-2023-20025 (CVSS score of 9.0), that impacts small business RV016, RV042, RV042G, and RV082 routers. The IT giant announced that these devices will receive no security updates to address the bug because they have reached end of life (EoL).

The flaw is an authentication bypass issue that resides in the web-based management interface of the routers, an attacker. An unauthenticated, remote attacker can exploit the CVE-2023-20025 flaw to bypass authentication on vulnerable devices.

The flaw is due to improper validation of user input within incoming HTTP packets. 

An attacker could trigger the flaw by sending a specially crafted HTTP request to the web-based management interface.

“A successful exploit could allow the attacker to bypass authentication and gain root access on the underlying operating system.” reads the advisory published by the company. “Cisco has not and will not release software updates that address this vulnerability. There are no workarounds that address this vulnerability.”

The communications technology firm said that there are no workarounds to fix this flaw, however, admins may disable remote management and block access to ports 443 and 60443.

Cisco also addressed a remote command execution vulnerability, tracked as CVE-2023-20026 (CVSS Score 6.5), that impacts Cisco Small Business RV016, RV042, RV042G, and RV082 Routers.

The company PSIRT confirmed the availability of proof-of-concept exploit code for these flaws.

Censys researchers have now reported that about 19.500 end-of-life Cisco devices for individuals and small businesses are exposed on the internet, which may be at risk of exploitation for the above flaws.

Over 19,000 end-of-life Cisco VPN routers on the Internet are exposed to attacks targeting a remote command execution exploit chain.

“By looking at only HTTP services that include the model numbers in either the “WWW-Authenticate” response header or an HTTPS service with a matching TLS organizational unit,  Censys search results show around 20,000 hosts have indicators that they are potentially vulnerable to this attack.” reads the report published by Censys.

Most of the Internet-exposed models are RV042, with over 12k hosts exposed to the Internet. 

The United States (4,594 hosts) drives the top ten countries around the world running a vulnerable Cisco device, followed by Canada (1,748 hosts), and India (1,508 hosts).

​Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, routers)

[adrotate banner=”5″]

[adrotate banner=”13″]