Cisco has disclosed that some models of its small business VPN routers ship with a vulnerable Universal Plug-and-Play (UPnP) service that can be exploited to either remotely run arbitrary code or cause the device to restart unexpectedly.
However, the company has refused to issue a patch to plug the vulnerability, arguing that the devices have reached end-of-life.
“Cisco has not released and will not release software updates to address the vulnerability described in this advisory,” shared Cisco in its advisory.
We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and we’d hugely appreciate if you’d share your experiences with us.
The zero-day bug, tracked as CVE-2021-34730, and rated with a critical severity score of 9.8, exists due to the improper validation of incoming UPnP traffic, and was reported by cybersecurity researchers from IoT Inspector Research Lab.
End of the line
Cisco shared that the small business VPN routers that are affected by this vulnerability include the RV110W, RV130, RV130W, and RV215W, all of which have reached end-of-life and aren’t actively supported.
The company advises owners of the vulnerable devices to switch to newer, supported versions, namely the RV132W, RV160, and RV160W router.
For what it’s worth though, as far as Cisco’s Product Security Incident Response Team (PSIRT) can tell there are no publicly known exploits of the vulnerability.
Furthermore, the vulnerability can be exploited only if the UPnP service is toggled on in the affected models. While Cisco has shared that the service is enabled by default, to protect themselves against exploits, owners of the vulnerable devices can simply disable the UPnP service.