Cisco warns about auth bypass bug in EoL routers

Cisco warned its customers about a critical vulnerability in authentication bypass that could affect multiple VPN routers with end-of-life exploit codes.

CVE-2023-20025 was discovered in Cisco Small Business and . It was also found in the web-based management interface for Cisco Small Business and routers.

This is due to incorrect validation of user input in incoming HTTP packets. To bypass authentication, unauthenticated attackers could exploit the vulnerability remotely via a specially-crafted HTTP request sent to the web-based management interface of vulnerable routers.

They can gain root access through successful exploitation. They can run arbitrary commands on the operating system by linking it to CVE-2023 2002 (also revealed today by Cisco).

Cisco acknowledged that the vulnerability was a serious severity bug, and that they are aware that there is proof of concept exploit code out in the wild. However, Cisco stated that no software updates have been released to address it.

Cisco PSIRT found no evidence that this vulnerability was being exploited in attacks.

To block attackers, disable the management interface

The RV016 and the RV082 WAN VPN routers went out of business in May 2016 and January 2016, respectively. However, the RV042G and RV042G VPN routers are still available to order and will be supported through January 31, 2025 .

Administrators may block access to ports 443 or 60443 in an attempt to stop exploitation, even though this vulnerability cannot be fixed.

Log in to the device’s web-based management portal, then go to Firewall > General and deactivate Remote Management.

Cisco has published a security advisory that details steps for blocking access to ports 403 and 60443 .

After the mitigation, the affected routers can still be accessed and configured through the LAN interface.

The company stated that in RV110W and RV130W routers. It encouraged them to move to RV132W or RV160W routers with support.

Cisco advised users to upgrade to newer models in June after disclosing (CVE-2022-20825), which was left unpatched.