Cisco addressed critical and high severity pre-auth security vulnerabilities that impact multiple Small Business VPN routers. The two security flaws tracked as CVE-2021-1609 (rated 9.8/10) and CVE-2021-1602 (8.2/10) were found in the web-based management interfaces and exist due to improperly validated HTTP requests and insufficient user input validation, respectively.
CVE-2021-1609 impacts RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN routers, while CVE-2021-1602 affects RV160, RV160W, RV260, RV260P, and RV260W VPN routers.
Both bugs are exploitable remotely without requiring authentication as part of low complexity attacks that don’t require user interaction. Attackers could exploit the vulnerabilities by sending maliciously crafted HTTP requests to the affected routers’ web-based management interfaces.
The web-based management interface for these devices is available through local LAN connections by default and cannot be disabled there. The interface can also be made available through the WAN interface by enabling the remote management feature. By default, the remote management feature is disabled on affected devices.
The IT giant says no workarounds are available to secure the devices, the Product Security Incident Response Team (PSIRT) is not aware of attacks in the wild exploiting the above flaws.