Cisco has announced that it will not be releasing patches for a critical vulnerability (CVE-2023-20025) that affects small business RV016, RV042, RV042G, and RV082 routers, as they have reached end of life. The vulnerability, which has a CVSS score of 9.0, impacts the web-based management interface of the routers and could be exploited to bypass authentication. The issue exists because user input within incoming HTTP packets is not properly validated, allowing an attacker to send crafted HTTP requests to the router, to bypass authentication and gain root access to the operating system. Cisco also warned of a high-severity bug in the web-based management interface of the same routers, which could lead to remote command execution (CVE-2023-20026), but this vulnerability requires the attacker to be authenticated. To mitigate these vulnerabilities, administrators can disable remote management on the affected devices and block access to ports 443 and 60443. Cisco says it is not aware of any malicious attacks targeting the vulnerabilities.
Links:
https://www.securityweek.com/cisco-warns-critical-vulnerability-eol-small-business-routers
https://www.helpnetsecurity.com/2023/01/12/cve-2023-20025-cve-2023-20026/
