Cisco this week released software updates to address multiple vulnerabilities across its product portfolio, including critical severity bugs in several small business VPN routers and SD-WAN products.
The company warned that the web-based management interface of small business RV160, RV160W, RV260, RV260P, and RV260W VPN routers is affected by seven severe vulnerabilities that could be abused by unauthenticated, remote attackers to execute arbitrary code as root.
The issue, Cisco says, exists because of improper validation of HTTP requests. Rated critical severity (CVSS score of 9.8), the flaws were addressed with the release of firmware versions 1.0.01.02 and later for all of the affected products. Two high severity vulnerabilities were also fixed in these devices.
The tech company also released fixes for six bugs in SD-WAN products, the most important of which is rated critical severity (CVSS score 9.9). While not dependent on each other, the resolved issues could be abused to perform actions with root privileges on the affected devices.
Created by the improper input validation of user-supplied input, the flaws impact SD-WAN vBond Orchestrator Software, SD-WAN vEdge Cloud Routers, SD-WAN vEdge Routers, SD-WAN vManage Software, and SD-WAN vSmart Controller Software.
Cisco addressed these security holes in SD-WAN releases 19.2.4, 20.1.2, 20.3.2, and 20.4.1. The company also notes that it is not aware of these bugs being exploited in the wild.
This week, the company also detailed numerous high severity flaws in small business RV series routers, including a set of 30 bugs leading to arbitrary code execution or denial of service, and another of 5 issues that a remote attacker could exploit to inject arbitrary commands and have them executed with root privileges.
Caused by improper validation of user-supplied input, the flaws impact RV016, RV042, RV042G, RV082, RV320, and RV325 series routers, and were addressed with the release of firmware version 1.5.1.13 for RV320 and RV325 routers.
The Cisco RV016, RV042, RV042G, and RV082 routers, however, won’t receive patches, because they have already reached end-of-life status.
Other high risk vulnerabilities that Cisco patched this week affect IOS XR software: one denial of service in the IPv6 protocol handling and two in the ingress packet processing function of IOS XR software, and two image verification bugs and one privilege escalation that affect IOS XR software for the Cisco 8000 series routers and Network Convergence System (NCS) 540 series routers.
Multiple high severity issues were addressed in SD-WAN products as well, including five flaws that could lead to denial of service, and three authorization bypasses that could allow attackers to modify configurations, access sensitive information, or view data without authorization.
Cisco also released patches for medium severity flaws in Webex, Unified Computing System (UCS), IOS XR Software, Managed Services Accelerator (MSX), and DNA Center, and announced that it would release software updates to fix multiple bugs in the DNS forwarder implementation of dnsmasq.
On Wednesday, the tech company expanded the list of products affected by the recent Sudo vulnerability with the addition of Virtual Topology System (formerly Cisco Virtual Systems Operations Center) – VTSR VM and Ultra Cloud.
Further information on the vulnerabilities Cisco has addressed in its products this week can be found on the company’s security portal.
Related: Cisco Patches Critical Vulnerabilities in SD-WAN, DNA Center, SSMS Products
Related: Over 70 Vulnerabilities Will Remain Unpatched in EOL Cisco Routers

More from Ionut Arghire
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Atlassian Warns of Critical Jira Service Management Vulnerability
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
- Google Shells Out $600,000 for OSS-Fuzz Project Integrations
- F5 BIG-IP Vulnerability Can Lead to DoS, Code Execution
- Flaw in Cisco Industrial Appliances Allows Malicious Code to Persist Across Reboots
- HeadCrab Botnet Ensnares 1,200 Redis Servers for Cryptomining
- Malicious NPM, PyPI Packages Stealing User Information
Latest News
- Big China Spy Balloon Moving East Over US, Pentagon Says
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Cyber Insights 2023: Venture Capital
- Atlassian Warns of Critical Jira Service Management Vulnerability
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
- China Says It’s Looking Into Report of Spy Balloon Over US
- GoAnywhere MFT Users Warned of Zero-Day Exploit
