Security Experts:

Connect with us

Hi, what are you looking for?



Researcher Finds Several Vulnerabilities in Cisco Small Business Switches

A researcher has identified several vulnerabilities, including ones that have been rated high severity, in Cisco’s Small Business 220 series smart switches. The networking giant this week informed customers about the availability of patches for these flaws.

A researcher has identified several vulnerabilities, including ones that have been rated high severity, in Cisco’s Small Business 220 series smart switches. The networking giant this week informed customers about the availability of patches for these flaws.

The vulnerabilities were discovered by security researcher Jasper Lievisse Adriaanse, and they impact switches that run firmware versions earlier than and have the web-based management interface enabled — the interface is enabled by default.

In an advisory released this week, Cisco said Lievisse Adriaanse found four types of security holes in the small business switches.

One of them, tracked as CVE-2021-1542 and rated high severity, can be exploited by a remote, unauthenticated attacker to hijack a user’s session and gain access to the switch’s web interface. Depending on the privileges of the targeted user, the attacker could gain admin-level access to the management interface.

Another high-severity issue is CVE-2021-1541, which allows a remote attacker with admin permissions on the device to execute arbitrary commands with root privileges on the underlying operating system.

Lievisse Adriaanse told SecurityWeek that while he hasn’t tested this, it may be possible for an attacker to chain these two vulnerabilities.

The other two flaws found by the researcher, both classified as medium severity by Cisco, could allow a remote, unauthenticated attacker to launch XSS attacks (CVE-2021-1543) or HTML injection attacks (CVE-2021-1571).

“[In the case of the] XSS flaw, the vector which I tested and verified was by exploiting a vulnerability in how certain packets which are only valid on the same L2 domain are parsed,” Lievisse Adriaanse explained.

He added, “It should be possible, if you’re on the same L2 domain, to perform the XSS attack through CVE-2021-1543, obtain the CSRF token and perform arbitrary actions as the logged in user. As I don’t write a lot of Javascript I didn’t attempt to write a payload to subsequently exploit CVE-2021-1541. Note however that due to lacking Content-Security-Policy headers you can use CVE-2021-1543 to include remote Javascript code. So you’re not limited by the packet size of the abused L2 protocol. I guess with enough experience and determination one could concoct a payload to do anything in the UI.”

Asked about a worst case theoretical attack scenario involving these vulnerabilities, the researcher said, “Theoretically speaking, the worst case scenario is someone on the same L2 domain performs the XSS attack and obtains administrative privileges (or pull off the authentication bypass) and while at it they could gain root on the underlying OS. I guess you could set up a span port and MiTM all traffic going through the switch, or perhaps find a way to gain persistence. With administrative access to the web interface and root on the underlying minimal Linux system the options are abundant.”

The researcher said that while he hasn’t checked, the impacted switches should not be directly exposed to the internet.

Cisco this week also announced patches for high-severity flaws affecting AnyConnect Secure Mobility Client for Windows (DLL hijacking by authenticated attacker), DNA Center (unauthenticated attacker can view and alter sensitive information), and Email Security and Web Security appliances (unauthenticated attacker can intercept traffic).

Related: Several High-Severity Vulnerabilities Expose Cisco Firewalls to Remote Attacks

Related: Several Cisco Products Exposed to DoS Attacks Due to Snort Vulnerability

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.