RCE will not be fixed on Cisco EOL Business routers.

Last days, the giant Cisco said that there is no plan to fix a critical vulnerability (RCE) affecting some small business routers – instead urging users to replace the devices.

The flaw tracked as CVE-2021-1459 is a CVSS score of 9.8 out of 10, and affects RV110W VPN firewall and Small Business RV130, RV130W, and RV215W routers, allowing an unauthenticated remote attacker to execute arbitrary code on an affected appliance.

In detail, the flaw takes advantage of improper validation of user-supplied input in the web-based management interface and can be exploited by an attacker by sending a special HTTP request to get an RCE condition.

“A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system of the affected device,” Cisco said in its advisory.

 

 

The vulnerability was discovered by Treck Zhou, and he has been credited with reporting the vulnerability. Although the company noted there’s been no evidence of active exploitation attempts in the wild, it doesn’t intend to release a patch or make any workarounds available, citing that the products have reached end-of-life.

“The Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers have entered the end-of-life process,” the firm said. “Customers are encouraged to migrate to the Cisco Small Business RV132W, RV160, or RV160W Routers.”

 

For more details about the last round of fixes by Cisco, please access this link.

 


Deixe um comentário

O seu endereço de email não será publicado. Campos obrigatórios marcados com *