Cisco informs it won’t set zero-day RCE in end-of-life VPN routers

Cisco suggests end-of-life small business RV routers owners to upgrade new models after revealing remote code execution vulnerability that will not be patched.

However, the vulnerability is tracked as CVE-2022-20825 and has a CVSS severity rating of 9.8 out of 10.0.

According to a Cisco security advisory, the defect exists because of insufficient user input validation of incoming HTTP packets on the impacted devices.

However, an attacker can defeat it by sending specially crafted requests to the web-based management interface resulting in command execution with root-level privileges.

Influence and amendition –

The vulnerability affects four small business RV series models named as the RV110W Wireless-N VPN Firewall, the RV130 VPN Router, the RV130W Wireless-N Multifunction VPN Router, and the RV215W Wireless-N VPN Router.

However, this vulnerability only affects web-based remote management interface devices enabled on WAN connections.

And to confirm whether remote management is enabled, the admins should log in to the web-based management interface, navigate to ‘Basic Settings > Remote Management,’ and check on it.

Besides, Cisco stated that it won’t release a security update to address CVE-2022-20825 because the devices are no longer supported.

Moreover, the admin shall should turn off remote management on WAN interface for better overall security.

Additionally, the users are adviced to apply configuration changes until they migrate to Cisco Small Business RV132W, RV160, or RV160W Routers because the vendor actively supports.

Cisco have also warned last year that admins should upgrade to newer models after revealing that they will not fix a critical vulnerability in Universal Plug-and-Play (UPnP) service.