Cisco Won’t Fix an RCE Vulnerability in Old RV Routers

Cisco Logo

A 9.8/10 RCE Vulnerability in Old Cisco RV Routers Will Not Be Patched

Cisco will not patch the zero-day CVE-2022-20825 vulnerability on end-of-life devices. The affected devices are Small Business RV routers (mobile routers for recreational vehicles and boats.) The specific vulnerable models are RV110W Wireless-N VPN Firewall, RV130 VPN Router, RV130W Wireless-N Multifunction VPN Router, and RV215W Wireless-N VPN Router.

In its advisory, Cisco suggests users switch to newer models that receive all technical support and updates. For those who keep using the good old stuff, the manufacturer shows how to switch off the device remote control since the vulnerability only exists on routers with the remote management interface turned on (not a default config.) Going to Basic Settings => Remote Management and clearing the relevant tick box will be enough to secure the device, although it will lower its convenience level.

It’s no wonder the severity of vulnerability in question is rated 9.8x out of 10. It allows hackers to execute commands remotely bestowed with root privileges after sending a specially tailored request to the device. The lack of user input validation of the HTTP packets puts the four named router models in serious jeopardy

By Stephanie Adlam

I write about how to make your Internet browsing comfortable and safe. The modern digital world is worth being a part of, and I want to show you how to do it properly.

View all of Stephanie Adlam's posts.

Leave a comment

Your email address will not be published.