Networking products major Cisco Techniques has claimed it does not plan to deal with a critical protection vulnerability affecting some of its Modest Business enterprise routers, rather urging buyers to exchange the equipment.
The bug, tracked as CVE-2021-1459, is rated with a CVSS score of 9.8 out of 10, and affects RV110W VPN firewall and Compact Business RV130, RV130W, and RV215W routers, letting an unauthenticated, distant attacker to execute arbitrary code on an impacted appliance.
The flaw, which stems from incorrect validation of consumer-provided input in the internet-primarily based administration interface, could be exploited by a malicious actor to mail specifically-crafted HTTP requests to the qualified system and achieve distant code execution.
” A prosperous exploit could make it possible for the attacker to execute arbitrary code as the root user on the underlying running program of the impacted device,” Cisco said in its advisory.
Safety researcher Treck Zhou has been credited with reporting the vulnerability. Even though the company famous there’s been no proof of lively exploitation attempts in the wild, it isn’t going to intend to release a patch or make any workarounds out there, citing that the merchandise have achieved finish-of-existence.
“The Cisco Small Company RV110W, RV130, RV130W, and RV215W Routers have entered the stop-of-life system,” the agency reported. “Buyers are encouraged to migrate to the Cisco Compact Business enterprise RV132W, RV160, or RV160W Routers.”
Independently, Cisco has also launched software program updates to handle several vulnerabilities in Cisco SD-WAN vManage Application (CVE-2021-1137, CVE-2021-1479, and CVE-2021-1480) that could permit an unauthenticated, remote attacker to execute arbitrary code or allow for an authenticated, nearby attacker to obtain escalated privileges on an afflicted technique.
As a consequence of a buffer overflow situation, CVE-2021-1479 is rated 9.8 in severity, productive exploitation of which “could permit the attacker to execute arbitrary code on the fundamental functioning process with root privileges.”