Cisco will not patch serious security hole in its old VPN routers VPN

• August 19, 2021

Cisco has disclosed that some models of its small business VPN routers ship with a vulnerable Universal Plug-and-Play (UPnP) service that can be exploited to either remotely run arbitrary code or cause the device to restart unexpectedly. 

However, the company has refused to issue a patch to plug the vulnerability, arguing that the devices have reached end-of-life. 

“Cisco has not released and will not release software updates to address the vulnerability described in this advisory,” shared Cisco in its advisory.

The zero-day bug, tracked as CVE-2021-34730, and rated with a critical severity score of 9.8, exists due to the improper validation of incoming UPnP traffic, and was reported by cybersecurity researchers from IoT Inspector Research Lab.

End of the line

Cisco shared that the small business VPN routers that are affected by this vulnerability include the RV110W, RV130, RV130W, and RV215W, all of which have reached end-of-life and aren’t actively supported.

The company advises owners of the vulnerable devices to switch to newer, supported versions, namely the RV132W, RV160, and RV160W router.

For what it’s worth though, as far as Cisco’s Product Security Incident Response Team (PSIRT) can tell there are no publicly known exploits of the vulnerability.

Furthermore, the vulnerability can be exploited only if the UPnP service is toggled on in the affected models. While Cisco has shared that the service is enabled by default, to protect themselves against exploits, owners of the vulnerable devices can simply disable the UPnP service.

Source

Cisco has disclosed that some models of its small business VPN routers ship with a vulnerable Universal Plug-and-Play (UPnP) service that can be exploited to either remotely run arbitrary code or cause the device to restart unexpectedly.  However, the company has refused to issue a patch to plug the vulnerability,…