A 9.8/10 RCE Vulnerability in Old Cisco RV Routers Will Not Be Patched
Cisco will not patch the zero-day CVE-2022-20825 vulnerability on end-of-life devices. The affected devices are Small Business RV routers (mobile routers for recreational vehicles and boats.) The specific vulnerable models are RV110W Wireless-N VPN Firewall, RV130 VPN Router, RV130W Wireless-N Multifunction VPN Router, and RV215W Wireless-N VPN Router.
In its advisory, Cisco suggests users switch to newer models that receive all technical support and updates. For those who keep using the good old stuff, the manufacturer shows how to switch off the device remote control since the vulnerability only exists on routers with the remote management interface turned on (not a default config.) Going to Basic Settings => Remote Management and clearing the relevant tick box will be enough to secure the device, although it will lower its convenience level.
It’s no wonder the severity of vulnerability in question is rated 9.8x out of 10. It allows hackers to execute commands remotely bestowed with root privileges after sending a specially tailored request to the device. The lack of user input validation of the HTTP packets puts the four named router models in serious jeopardy