RCE attack on over 19,000 Cisco routers at the end of their lives

Attacks targeting remote command execution exploit chains are possible on more than 19,000 Cisco VPN routers that have reached end of life.

Two security holes can be used to bypass authentication and allow threat actors to execute arbitrary commands on the operating system of Cisco Small Business and .

An attacker can remotely exploit the critical severity bypass flaw in auth authentication by sending specially-crafted HTTP requests to vulnerable routers’ management interface web to gain root access.

Cisco has rated CVE-2023-2025 critical. It also stated that the Product Security Incident Response Team’s (PSIRT), team was aware of proof-of concept exploit codes available.

The company stated that it has not yet released software updates to address the vulnerability.

Cisco does not believe that the exploit chain has been used in attacks at this time.

Attacks on thousands of routers

BleepingComputer these routers were left unpatched and Censys looked into the number of routers that can be reached over the Internet. Censys discovered online.

Censys stated that it only considers HTTPS services with model numbers, either in the ‘WWWAuthenticate’ response headers or an HTTPS server with a matching TLS organization unit. “Censys found that around 20,000 hosts are vulnerable to attack by looking at HTTPS services without the model number.”

The RV042 is the most vulnerable of the four models. It has more than 12k hosts that are exposed to the Internet.

The RV082 and RV042 have 3.5k hosts. While the RV016 is last with 784 internet assets, it has only 784.

Vulnerable routers distribution worldwide (Censys)

Cisco stated that security updates will not be available for them and that they cannot provide workarounds. However, users can protect their devices against attacks by disabling Cisco’s web-based management interface. They also have the option to block access to ports 403 and 443 to prevent exploitation attempts.

Log into the web-based router management interface and go to Firewall > General. Uncheck Remote Management. Cisco provides extensive instructions for .

After the mitigation, the affected routers can still be accessed and configured through the LAN interface.

Cisco stated that in September, and recommended users switch to RV132W or RV160W routers while they are still supported.

Cisco encouraged users to upgrade to higher-end router models three months prior to June’s disclosure of found in another set of end-of life VPN routers. This was not patched.