Critical Cisco SMB Router Flaw Allows Authentication Bypass, PoC Available

Unpatched Cisco bugs, tracked as CVE-2023-20025 and CVE-2023-20026, allow lateral movement, data theft, and malware infestations.

Corporate cisco sign outside of office building
Source: Kristoffer Tripplaar via Alamy Stock Photo

Two security vulnerabilities in Cisco routers for small and midsize businesses (SMBs) could allow unauthenticated cyberattackers to take full control of a target device to run commands with root privileges. Unfortunately, they'll remain unpatched even though proof-of-concept exploits are floating around in the wild.

Among other things, a successful compromise could allow cyberattackers to eavesdrop on or hijack VPN and session traffic flowing through the device, gain a foothold for lateral movement within a company's network, or run cryptominers, botnet clients, or other malware.

"It’s an attractive target from a technical point of view. As an attacker, if you manage to get remote code execution on core routing or network infrastructure, your ability to move laterally increases exponentially," noted Casey Ellis, founder and CTO at Bugcrowd, in an emailed comment.

Critical-Rated Bug Offers Root Privileges

The first bug is a critical-rated authentication bypass issue (CVE-2023-20025) that exists in the Web management interface of the devices and carries a rating of 9 out of 10 on the CVSS vulnerability-severity scale.

Meanwhile, the second flaw — tracked as CVE-2023-20026 — can allow remote code execution (RCE) with a caveat: an attacker would need to have valid administrative credentials on the affected device to be successful, so the bug is rated medium, with a 6.5 CVSS score.

They both affect all versions of the RV016, RV042, RV042G, and RV082 routers, which have reached end of life (EoL). As such, the appliances therefore no longer receive security updates, according to the networking giant's Jan. 11 advisory.

The advisory noted that both bugs are "due to improper validation of user input within incoming HTTP packets," so an attacker needs only to send a crafted HTTP request to the Web-based management interface to gain root access on the underlying operating system.

Cisco "is aware that proof-of-concept exploit code is available for the vulnerabilities that are described in this advisory," it said, though in-the-wild attacks have so far not been spotted.

While there are no workarounds that address the bugs, a possible mitigation would be to disable remote management of the routers and block access to ports 443 and 60443, according to Cisco, meaning the routers would only be accessible through the LAN interface.

"It’s always a best practice not to allow remote administration of network devices accessible from the open internet, however, small business using some MSP/MSSPs have to leave it open for their service providers," John Bambenek, principal threat Hunter at Netenrich, noted via email. "That said, this is the worst of all worlds with PoC code publicly available and no ... patches available."

Replacing the devices is the best course of action to fully protect one's business, the researchers noted.

Big Impact, Even at EoL

Researchers noted that the routers' existing installed base is significant, even though the devices have been discontinued. It's not uncommon for out-of-date gear to linger on in business environments well after it's been cut off — offering a rich playground for cyberattackers.

"The Cisco small business routers affected by these vulnerabilities still see reasonably widespread usage, though they are all officially end of life," Mike Parkin, senior technical engineer at Vulcan Cyber, said via email. "The challenge will be that these devices are typically found in small businesses with limited resources or used by individuals who may not have the budget to replace them."

And, it's not just SMBs who are affected, Bugcrowd's Ellis noted: "SMB routers are very widely deployed, and in a post-COVID hybrid/work from home world, it’s not just an SMB problem. Branch offices, COEs, and even home offices are potential users of the vulnerable product."

About the Author

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights