Cisco addressed multiple pre-auth remote code execution (RCE) flaws in its small business VPN routers, the most severe of which could allow arbitrary code execution as the root user of an affected device.
Tracked as CVE-2021-1289, CVE-2021-1290, CVE-2021-1291, CVE-2021-1292, CVE-2021-1293, CVE-2021-1294, and CVE-2021-1295, the vulnerabilities exists due to improper validation of HTTP requests to the web-based management interfaces of the affected devices. An attacker can exploit the flaws by sending a crafted HTTP request to the web-based management interface of affected devices. Successful exploitation could allow the attacker to remotely execute arbitrary code on the device.
A. Nature of the Vulnerabilities
Vulnerable Cisco Small Business RV Series Routers are as follows:
- RV160 VPN Router
- RV160W Wireless-AC VPN Router
- RV260 VPN Router
- RV260P VPN Router with POE
- RV260W Wireless-AC VPN Router
B. Actions to be Taken
CERT-PH recommends the following actions be taken:
Immediately test and apply the corresponding patched versions of the affected Cisco products. (https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv160-260-rce-XZeFkNHf)