Cisco has identified pre-auth security vulnerabilities impacting numerous small Business VPN routers and permitting remote attackers to trigger a denial of service condition or run commands and arbitrary code on vulnerable devices.

The two security errors tracked as CVE-2021-1609 (rated 9.8/10) and CVE-2021-1602 (8.2/10) were discovered in the web-based management interfaces and exist due to improperly validate HTTP requests and insufficient user input validation, respectively.

CVE-2021-1609 impacts RV340W, RV340, RV345, and RV345P Dual WAN Gigabit VPN routers, while CVE-2021-1602 harms RV160, RV160W, RV260, RV260P, and RV260W VPN routers.

Both of these two flaws are exploitable remotely without needing authentication as a part of low complexity attacks that don’t need any user interaction.

Threat actors exploit the vulnerabilities by transmitting maliciously designed HTTP requests to the affected routers’ web-based management interfaces.

How Remote Management Disabled on all the Impacted Routers?

Fortunately, as the organization explains, the remote management feature is disabled by default on all the affected VPN router models. “The web-based management interface for these devices is available through local LAN connections by default and cannot be disabled there,” Cisco stated.

“The interface can also be available through the WAN interface by allowing the remote management feature. By default, the remote management feature is disabling on the victim devices.”

To know whether remote management is enabled on your devices, you have to launch the router’s web-based management interface via a local LAN connection and check if the Basic Settings > Remote Management option is switched on.

Cisco has also released software updates to address these vulnerabilities and says no workarounds are available to remove the attack vectors.

To download the patched firmware from Cisco’s Software Center, you need to click Browse All on Cisco.com and go to Downloads Home > Routers > Small Business Routers > Small Business RV Series Routers.

Disable in Wild Exploitation

While Cisco says that its “Product Security Incident Response Team (PSIRT) is not fully familiar of any public announcements or malicious use” of the two security errors, similar router vulnerabilities have been targeted in the past by attackers in the wild.

In August 2020, Cisco alerted of constantly exploited zero-day bugs (CVE-2020-3566 and CVE-2020-3569) in carrier-grade IOS XR routers with multicast routing enabled. The organization patched the zero-days during late September 2020, one month after the first warning.

After one month, in October 2020, Cisco was frequently alerted of attacks constantly targeting a separate high severity vulnerability (CVE-2020-3118) affecting the IOS XR Network OS setup on the same router models.

On the same day, the US Nation Security Agency (NSA) included CVE-2020-3118 among 25 security vulnerabilities targeted or exploited by Chinese state-sponsored threat actors.

In July 2020, Cisco fixed the other constantly exploited ASA/FTD firewall flaw and a pre-auth sensitive remote code execution (RCE) error that might lead to full device takeover on vulnerable devices.