Pierluigi Paganini January 28, 2019

Cisco released security updates to address security flaws in several products including Small Business RV320/RV325 routers and hackers are already targeting them.

The tech giant addressed two serious issues in Cisco’s Small Business RV320 and RV325 routers. The first one could be exploited by a remote and unauthenticated attacker with admin privileges. to obtain sensitive information (CVE-2019-1653), while the second one can be exploited for command injection (CVE-2019-1652).

Now, news of the day is that hackers are targeting Cisco RV320/RV325 routers using new exploits.

After the disclosure of proof-of-exploit code for security flaws in
Cisco RV320 and RV325 routers, hackers started scanning the Internet for vulnerable devices in an attempt to take compromise them.

Cisco this week announced updates for router models RV320 and RV325 that fix a command injection (CVE-2019-1652) and an information disclosure (CVE-2019-1653) vulnerability; both of them are in the routers’ web management interface.

Chaining the two flaws it is possible to take over the Cisco RV320 and RV325 routers, the hackers exploit the bugs to obtain hashed passwords for a privileged account and run arbitrary commands as root.

Both vulnerabilities were reported by experts at RedTeam Pentesting firm, the proof-of-code exploit for the flaws was published by the experts after Cisco released the security update to address the flaws.

The experts published a proof-of-concept (PoC) exploit code for the command injection issue, the info disclosure flaw, and the data leak vulnerability.

Other PoC exploits were published by the security researcher David Davidson, who successfully tested them on Cisco RV320 routers.

Searching on Shodan for vulnerable Cisco RV320 and RV325 routers it is possible to find tens of thousands of devices online.

The popular expert Troy Mursch, chief research officer at Bad Packets, searched for vulnerable systems using the BinaryEdge search engine and found 9,657 devices exposed online (6,247 Cisco RV320 routers and 3,410, are Cisco RV325 routers).

⚠️ WARNING ⚠️
Incoming scans detected from multiple hosts checking for vulnerable Cisco RV320/RV325 routers.

A vulnerability in the web-based management interface of these routers could allow an unauthenticated, remote attacker to retrieve sensitive configuration information. pic.twitter.com/OhQD55WNZD

— Bad Packets Report (@bad_packets) January 25, 2019

Mursch created an interactive map that shows the geographic distribution of vulnerable routers, the vast majority of them are located in the US.

“Due to the sensitive nature of these vulnerabilities, the IP addresses of the affected Cisco RV320/RV325 routers will not be published publicly.” reads a blog post published by Mursch on Badpackets.

“However, the list is freely available for authorized CERT teams to review. We’ve shared our findings directly with Cisco PSIRT and US-CERT for further investigation and remediation,”

Pierluigi Paganini

(SecurityAffairs – Cisco RV320/RV325 routers, IoT)

[adrotate banner=”5″] [adrotate banner=”13″]