Cisco fixes major security flaw affecting VPN routers

Vulnerabilities carry a severity rating of 9.8

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Cisco has issued patches for a security flaw affecting several of its small businessVPNrouters. The vulnerabilities, which allow attackers to conduct remote code execution attacks, carry a severity rating of 9.8 out of 10.

The company revealed that a number of VPN routers were affected if they were running firmware that pre-dated version 1.0.01.02. Cisco also confirmed that its Dual WAN Gigabit VPN Routers (including RV340, RV340W, RV345, and RV345P) were not affected by the security bugs.

“Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers could allow an unauthenticated, remote attacker to execute arbitrary code as the root user on an affected device,” a Cisco security advisoryexplains. “Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.”

All fixed up

In the advisory Cisco also revealed that the VPN vulnerabilities existed because HTTP requests were not being properly validated. By sending a crafted HTTP request, an attacker could execute arbitrary code as a root user on an affected device.

Fortunately, Cisco has now issued fixes for all the affected routers, which can be downloaded by updating the device’s firmware. In order to install the patch, users should visit the Cisco Software Center, find the appropriate router and then select “Small Business Router Firmware.” The left pane of the product page will contain the firmware update for download. Individuals with a Cisco service contract should be offered the patches directly.

In other good news, there are currently no known exploits in the wild involving the VPN router vulnerabilities. Cisco has also recently issued security fixes involving a number of other business products, which can be foundhere.

ViaBleeping Computer

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Barclay has been writing about technology for a decade, starting out as a freelancer with ITProPortal covering everything from London’s start-up scene to comparisons of the best cloud storage services.  After that, he spent some time as the managing editor of an online outlet focusing on cloud computing, furthering his interest in virtualization, Big Data, and the Internet of Things.

Should your VPN always be on?

3 reasons why PIA fell in our best VPN rankings

Arcane season 2 finally gave us the huge Caitlyn and Vi moment we’ve been waiting for – and its creators say ‘we couldn’t have done it in season one’