Cisco is advising owners of end-of-life Small Business RV routers to upgrade to newer models after revealing a remote code execution vulnerability that the company will no longer patch.
The vulnerability is tracked as CVE-2022-20825 with a CVSS severity rating of 9.8 out of 10.0.
As per a Cisco security advisory, the flaw is due to insufficient user input validation of incoming HTTP packets on the affected devices.
A hacker could exploit it by sending a specially crafted request to the web-based management interface, leading to command execution with root-level privileges.
The vulnerability affects four Small Business RV Series models, namely the RV110W Wireless-N VPN Firewall, the RV130 VPN Router, the RV130W Wireless-N Multifunction VPN Router, and the RV215W Wireless-N VPN Router.
This vulnerability only impacts devices with the web-based remote management interface enabled on WAN connections. While the remote management feature is disabled in the default configuration, brief searches using Shodan detected exposed devices.
To find out if remote management is enabled, users must log in to the web-based management interface, navigate to “Basic Settings > Remote Management,” and verify the state of the relevant check box.
Cisco will not be releasing a security update to address CVE-2022-20825 as the devices are no longer supported. There will also be no mitigations available other than to turn off remote management on the WAN interface.
Admins are urged to apply the configuration changes until they migrate to Cisco Small Business RV132W, RV160, or RV160W Routers, which the company actively supports.