Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

Over 70 Vulnerabilities Will Remain Unpatched in EOL Cisco Routers

Cisco this week announced that it does not plan on addressing tens of vulnerabilities affecting some of its small business routers.

Cisco this week announced that it does not plan on addressing tens of vulnerabilities affecting some of its small business routers.

A total of 68 high-severity flaws were identified in Cisco’s Small Business RV110W, RV130, RV130W, and RV215W routers, but the company says patches won’t be released, because these devices have reached end-of-life (EOL). The last day for software maintenance releases and bug fixes was December 1, 2020.

The security bugs exist because user-supplied input to the web-based management interface of the affected router series is not properly validated, thus allowing an attacker to send crafted HTTP requests to exploit these issues.

An attacker able to successfully exploit these vulnerabilities would be able to execute arbitrary code with root privileges on the underlying operating system. A mitigating factor, however, is that valid administrator credentials are required for exploitation.

In an advisory detailing 63 of these flaws, the tech giant explains that an attacker could also abuse them to restart the affected devices, leading to a denial-of-service (DoS) condition.

Cisco notes that the web-based management interface on these devices can be accessed either from the LAN or through a WAN connection, provided that remote management is enabled. However, the remote management feature is disabled by default on these devices.

“Cisco has not released and will not release software updates to address the vulnerabilities described […]. The Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers have entered the end-of-life process. Customers are advised to refer to the end-of-life notices for these products,” the company underlines.

Eight other vulnerabilities that remain unpatched in the same small business router series have been assessed as medium severity. These bugs could be abused by authenticated, remote attackers to launch cross-site scripting (XSS) attacks or access sensitive, browser-based information.

According to Cisco, there are no workarounds to address these vulnerabilities. However, the company says that it is not aware of public exploits targeting the security bugs.

Cisco this week released patches for tens of vulnerabilities, including two high-severity issues in enterprise software solutions.

The most important of these flaws is CVE-2021-1144, a high-severity bug (CVSS score of 8.8) in Connected Mobile Experiences (CMX) that could be abused by an authenticated attacker to modify the passwords for any user account on the system, including administrator accounts.

The bug exists because authorization checks for changing passwords are not correctly handled, enabling exploitation by an authenticated attacker, even if they do not have administrative privileges. The attacker can abuse the bug through sending a modified HTTP request to a vulnerable device.

Another high-severity flaw was found in the AnyConnect Secure Mobility Client for Windows, affecting the endpoint solution’s Network Access Manager and Web Security Agent components.

Tracked as CVE-2021-1237 (CVSS score of 7.8), the issue could be abused by an authenticated, local attacker for DLL injection. The bug exists because resources that the application loads at runtime are insufficiently validated.

“An attacker could exploit this vulnerability by inserting a configuration file in a specific path in the system which, in turn, causes a malicious DLL file to be loaded when the application starts. A successful exploit could allow the attacker to execute arbitrary code on the affected machine with SYSTEM privileges,” Cisco explains.

The tech giant has released software updates to address both of these vulnerabilities and says that it is not aware of public exploits targeting any of them.

Cisco also published 18 other advisories detailing medium-severity bugs in Webex, ASR 5000 routers, Proximity Desktop for Windows, Enterprise NFV Infrastructure Software (NFVIS), Finesse, Video Surveillance 8000 IP Cameras, Firepower Management Center (FMC), DNA Center, Unified Communications products, CMX API authorizations, and AnyConnect Secure Mobility Client.

Three medium-severity vulnerabilities related to the Snort detection engine were found to impact a broad range of Cisco products, including Integrated Services Routers (ISRs), Cloud Services Router 1000V, Firepower Threat Defense (FTD), Integrated Services Virtual Router (ISRv), and several Meraki product series.

Details on these vulnerabilities can be found in the advisories Cisco published on its security portal.

Related: Cisco Patches Wormable, Zero-Click Vulnerability in Jabber

Related: Cisco Patches Actively Exploited Flaws in Carrier-Grade Routers

Related: Cisco Patches Dozen Vulnerabilities in Industrial Routers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet