Cisco won’t fix router flaws even though PoC exploit is available (CVE-2023-20025, CVE-2023-20026)
Cisco has acknowledged one critical (CVE-2023-20025) and two medium-severity (CVE-2023-20026, CVE-2023-20045) vulnerabilities affecting some of its Small Business series of routers, but won’t be fixing them as the devices “have entered the end-of-life process.”
Proof-of-concept exploit code for CVE-2023-20025 and CVE-2023-20026 is available online, but there is currently no indication of any of these flaws being exploited by attackers.
About the vulnerabilities
CVE-2023-20025 is an authentication bypass vulnerability in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, and RV082 VPN routers. CVE-2023-20026 is a RCE in the same component of the same series of routers.
Cisco says that the vulnerabilities are not dependent on one another and that attackers don’t have to exploit them together. But leveraging an authentication bypass with a remote code execution vulnerability that requires attackers to be able to authenticate first is a no-brainer.
CVE-2023-20045 is a RCE flaw in the web-based management interface of Cisco Small Business RV160 and RV260 Series VPN routers, and also requires successful authentication before exploitation (meaning: the attacker must have valid Administrator-level credentials on the affected device). There’s no public PoC exploit for this one.
No fixes, but there are possible risk mitigation measures
Cisco “has not released and will not release software updates” to address any of these vulnerabilities. As noted in the advisories:
- RV082 and RV016 are already “outdated”
- RV042 and RV042G will stop being supported in January 2025, but have stopped receiving maintenance releases or bug fixes in January 2021
- RV 160 and RV260 (and RV345P, RV340W, RV260W, RV260P and RV160W) will stop being supported in September 2026, and have received the last software patches in September 2022.
Admins in charge of vulnerable devices can disable their web-based management interface and block access to ports 443 and 60443 (and other ports in use) via access control lists / rules.
In RV160 and RV260 devices, the vulnerable web-based management interface is available through local LAN connections by default and can be made available through the WAN interface (but the feature allowing this is disabled by default).
Mitigations should be tested before being deployed and only deployed until the equipment can be replaced with newer, supported alternatives. Cisco (and other manufacturers) naturally prefer admins to go for the latter option when products stop being supported.