Critical vulnerabilities in three small business router models and one VPN firewall device is not going to be patched.
Cisco Systems said it will not fix a critical vulnerability found in its products because they are of varying ages and have reached “end of life.” The company issued an advisory announcing the discontinued support for these devices in 2019.
The company advises its customers to replace the outdated models with newer Cisco Small Business RV132W, RV160, or RV160W Routers.
The bug, tracked as CVE-2021-1459, could allow unauthenticated remote users to perform buffer overflow, hijack targeted equipment, and gain elevated privileges within compromised systems.
The three flawed Cisco router models are RV110W, RV130, and RV215W, and the VPN firewall device is RV130W.
“Cisco has not released and will not release software updates to address the vulnerability described in this advisory. The Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers have entered the end-of-life process,” the company wrote.
CISCO added there are no workarounds that address this vulnerability.
The bug, described in the Cisco Systems Security Advisory posted Wednesday, is due to improper validation of user-supplied input in the web management interface.
“An attacker could exploit this vulnerability by sending crafted HTTP requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system of the affected device,” Cisco wrote.
To date, there has been no information or reports about the exploitation of the bug in the wild.
“The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory,” CISCO noted in the release.