Cisco this week published information on a critical code execution vulnerability affecting its small business RV110W, RV130, RV130W, and RV215W routers, but cautioned that there are no plans to release security fixes.
Tracked as CVE-2021-34730 with a CVSS score of 9.8, the vulnerability exists in the Universal Plug-and-Play (UPnP) service of the affected routers and could be abused by an unauthenticated, remote attacker to execute code as root, or cause a denial of service condition.
“This vulnerability is due to improper validation of incoming UPnP traffic. An attacker could exploit this vulnerability by sending a crafted UPnP request to an affected device,” Cisco said.
Cisco also notes it does not plan to release patches for the vulnerability because it affects older products that have already reached end-of-life (EOL) status.
[ Related: BadAlloc: Microsoft Flags Major Security Holes in OT, IoT Devices ]
Owners of RV110W Wireless-N VPN Firewalls, RV130 VPN Routers, RV130W Wireless-N Multifunction VPN Routers, and RV215W Wireless-N VPN Routers are advised to disable UPnP on both the LAN and WAN interfaces of their devices, to mitigate the bug. UPnP is enabled by default on LAN interfaces.
“While this mitigation has been deployed and was proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions,” Cisco notes, adding that was unaware of the vulnerability being exploited in the wild.
On Wednesday, Cisco also published an advisory detailing the BadAlloc vulnerability affecting BlackBerry QNX, but only to announce that it has launched an investigation to determine whether any of its products or services are impacted.
The issue, BlackBerry revealed this week, affects the QNX Software Development Platform (SDP) version 6.5.0SP1 and earlier, QNX OS for Medical version 1.1 and earlier, and QNX OS for Safety version 1.0.1 and earlier.
An attacker able to exploit the vulnerability could execute arbitrary code or cause a denial of service condition.
Related: Cisco Patches Critical Vulnerability in Small Business VPN Routers
Related: Cisco Patches High Severity Vulnerabilities in BPA, WSA
Related: Cisco Plugs High-Risk Security Flaws in Webex, SD-WAN