Security Experts:

Connect with us

Hi, what are you looking for?



Cisco Patches Critical Vulnerabilities in Small Business Routers, SD-WAN

Cisco this week released software updates to address multiple vulnerabilities across its product portfolio, including critical severity bugs in several small business VPN routers and SD-WAN products.

Cisco this week released software updates to address multiple vulnerabilities across its product portfolio, including critical severity bugs in several small business VPN routers and SD-WAN products.

The company warned that the web-based management interface of small business RV160, RV160W, RV260, RV260P, and RV260W VPN routers is affected by seven severe vulnerabilities that could be abused by unauthenticated, remote attackers to execute arbitrary code as root.

The issue, Cisco says, exists because of improper validation of HTTP requests. Rated critical severity (CVSS score of 9.8), the flaws were addressed with the release of firmware versions and later for all of the affected products. Two high severity vulnerabilities were also fixed in these devices.

The tech company also released fixes for six bugs in SD-WAN products, the most important of which is rated critical severity (CVSS score 9.9). While not dependent on each other, the resolved issues could be abused to perform actions with root privileges on the affected devices.

Created by the improper input validation of user-supplied input, the flaws impact SD-WAN vBond Orchestrator Software, SD-WAN vEdge Cloud Routers, SD-WAN vEdge Routers, SD-WAN vManage Software, and SD-WAN vSmart Controller Software.

Cisco addressed these security holes in SD-WAN releases 19.2.4, 20.1.2, 20.3.2, and 20.4.1. The company also notes that it is not aware of these bugs being exploited in the wild.

This week, the company also detailed numerous high severity flaws in small business RV series routers, including a set of 30 bugs leading to arbitrary code execution or denial of service, and another of 5 issues that a remote attacker could exploit to inject arbitrary commands and have them executed with root privileges.

Caused by improper validation of user-supplied input, the flaws impact RV016, RV042, RV042G, RV082, RV320, and RV325 series routers, and were addressed with the release of firmware version for RV320 and RV325 routers.

The Cisco RV016, RV042, RV042G, and RV082 routers, however, won’t receive patches, because they have already reached end-of-life status.

Other high risk vulnerabilities that Cisco patched this week affect IOS XR software: one denial of service in the IPv6 protocol handling and two in the ingress packet processing function of IOS XR software, and two image verification bugs and one privilege escalation that affect IOS XR software for the Cisco 8000 series routers and Network Convergence System (NCS) 540 series routers.

Multiple high severity issues were addressed in SD-WAN products as well, including five flaws that could lead to denial of service, and three authorization bypasses that could allow attackers to modify configurations, access sensitive information, or view data without authorization.

Cisco also released patches for medium severity flaws in Webex, Unified Computing System (UCS), IOS XR Software, Managed Services Accelerator (MSX), and DNA Center, and announced that it would release software updates to fix multiple bugs in the DNS forwarder implementation of dnsmasq.

On Wednesday, the tech company expanded the list of products affected by the recent Sudo vulnerability with the addition of Virtual Topology System (formerly Cisco Virtual Systems Operations Center) – VTSR VM and Ultra Cloud.

Further information on the vulnerabilities Cisco has addressed in its products this week can be found on the company’s security portal.

Related: Cisco Patches Critical Vulnerabilities in SD-WAN, DNA Center, SSMS Products

Related: Over 70 Vulnerabilities Will Remain Unpatched in EOL Cisco Routers

Related: VMware, Cisco Reveal Impact of SolarWinds Incident

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.