
Cisco has released a patch for a vulnerability in their RV340 and RV345 Dual WAN Gigabit VPN routers that could allow an authenticated attacker to remotely execute arbitrary code on affected devices.
The vulnerability tracked as CVE-2024-20416 has a CVSS score of 6.5, stems from insufficient boundary checks when processing specific HTTP requests, potentially granting attackers extensive control over the router’s underlying operating system.
Cisco has announced it will not release software updates to address it, as the affected router models have reached end-of-life status. The following Cisco products are impacted by this vulnerability if they are running Cisco Small Business Router Firmware Release 1.0.03.24 or later:
- RV340 Dual WAN Gigabit VPN Routers
- RV340W Dual WAN Gigabit Wireless-AC VPN Routers
- RV345 Dual WAN Gigabit VPN Routers
- RV345P Dual WAN Gigabit PoE VPN Routers
Cisco has confirmed that there are no workarounds to mitigate this vulnerability. Since there is no software fix available, the only recommended course of action is to replace the affected routers with newer, supported models
While Cisco PSIRT is not currently aware of any public exploits or malicious use of the vulnerability, the lack of a patch underscores the urgency for users to take action.


