Cisco says it’s fixed flaw affecting multiple small business VPN routers

Software updates containing patched firmware are available for all affected devices

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Cisco has released patches for two security flaws that impact several of the company’sVPN routersfor small businesses.

The two vulnerabilities, tracked asCVE-2021-1609andCVE-2021-1602, were discovered in the company’s web-based management interface.

While CVE-2021-1609, which exists as a result of improperly validated HTTP requests, impacts Cisco’s RV340, RV350W, RV345 and RV345P Dual WAN Gigabit VPN routers, CVE-2021-1602, which is due to insufficient user input validation, impacts RV160, RV160W, RV260, RV260P and RV260W VPN routers.

We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and we’d hugely appreciate if you’d share your experiences with us.

Click here to start the survey in a new window«

According to asecurity advisoryfrom Cisco, CVE-2021-1609 can be exploited by a remote attacker on one of the vulnerable VPN routers to execute arbitrary code or to cause the device to reload resulting in a denial of service (DoS) condition.

In a secondsecurity advisory, the networking giant explained that CVE-2021-1602 can be exploited by an unauthenticated, remote attacker to execute arbitrary commands on the underlyingoperating systemof affected devices.

Remote management disabled by default

Although these two vulnerabilities have CVSS scores of 9.8 and 8.2, launching an attack that exploits them will prove challenging for hackers as the remote management feature is disabled by default on all of the affected VPN routers.

Instead organizations need to use a local LAN connection to access Cisco’s web-based management interface where both security flaws reside. Still though, owners of affected devices can check to see if remote management has been enabled by accessing the web-based management interface, going to “Basic Settings” and seeing if the “Remote Management” option has been toggled on.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

While Cisco says that there are no workarounds available to address these vulnerabilities, the company has released software updates to address both security flaws. Additionally the company’s Product Security Incident Response Team (PSIRT) has not observed any exploits or attacks in the wild leveraging these vulnerabilities.

Organizations that own one of the impacted VPN routers can go to Cisco’sSoftware Centerto download the patched firmware for their devices.

ViaBleeping Computer

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.

3 reasons why PIA fell in our best VPN rankings

Is it still worth using Proton VPN Free?

Arcane season 2 confirms the hit series isn’t just one of the best Netflix shows ever made – it’s an animated legend that’ll stand the test of time