Cisco acknowledged yesterday that it bungled a crucial patch for a vulnerability in two router models. The company’s shoddy initial patches allowed hackers to continue attacks throughout the past two months.
The security flaws impact Cisco RV320 and RV325 WAN VPN routers, two models popular with internet service providers and large enterprises.
Cisco patched two security flaws impacting RV320 and RV325 routers at the end of January. The two were:
- CVE-2019-1652 – allows a remote attacker to inject and run admin commands on the device without a password.
- CVE-2019-1653 – allows a remote attacker to get sensitive device configuration details without a password.
The two vulnerabilities came under active attacks after multiple security researchers released proof-of-concept code demonstrating how the bugs worked and how they could be abused to take over routers.
Around 10,000 of these high-powered devices were –and still are– accessible online and vulnerable to attacks.
Initially, it was believed that the Cisco patches would be enough to protect these vulnerable devices. However, yesterday, the security firm that initially discovered these bugs revealed that Cisco’s patches had been woefully incomplete [1, 2, 3].