- Some of the older Cisco products are currently facing an authentication bypass vulnerability, which will not be patched by the company.
- The current vulnerability, which can be tracked as CVE-2023-20025 results from an incorrect user input validation in incoming HTTP packets.
- In order to exploit the vulnerability, the attackers need to have valid administrative credentials.
Cisco is a network technology company that designs, manufactures, and sells networking equipment and services. The company issued an alert to its clients about a critical authentication bypass vulnerability with public exploit code that affects multiple end-of-life (EoL) VPN routers.
A critical flaw of CVSS 9.0
Cisco issued the alert on January 11th to its clients. The security flaw (CVE-2023-20025) was discovered in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, and RV082 routers. We had covered another security issue Cisco dealt with back in September of 2022.
The current vulnerability results from an incorrect user input validation in incoming HTTP packets. It can be remotely exploited by unauthenticated attackers by sending a specially crafted HTTP request to the web-based management interface of susceptible routers.
Cisco also included a list of products that were confirmed to not be affected:
- RV160 VPN Routers
- RV160W Wireless-AC VPN Routers
- RV260 VPN Routers
- RV260P VPN Routers with PoE
- RV260W Wireless-AC VPN Routers
- RV320 Dual Gigabit WAN VPN Routers
- RV325 Dual Gigabit WAN VPN Routers
- RV340 Dual WAN Gigabit VPN Routers
- RV340W Dual WAN Gigabit Wireless-AC VPN Routers
- RV345 Dual WAN Gigabit VPN Routers
- RV345P Dual WAN Gigabit PoE VPN Routers
Cisco has not released software upgrades that address this issue and reports that it will not do so. There aren’t any workarounds for this weakness as of now. Cisco added that administrators can disable the impacted feature, Remote Management, alongside ports 443 and 60443 to avoid attacks. To do this, you can follow the instructions in the workarounds section.
The company summarizes the possible outcome of the vulnerability as follows:
« A successful exploit could allow the attacker to gain root-level privileges and access unauthorized data. To exploit this vulnerability, an attacker would need to have valid administrative credentials on the affected device. »