A critical vulnerability in Cisco’s Small Business Routers is not being patched by the company. The bug, CVE-2021-34730, affects RV110W, RV130, RV130W, and RV215W Cisco Small Business Routers models. CVE-2021-34730 earns a critical 9.8 score on the Common Vulnerability Scoring System (CVSS) due to its ability to allow for remote code execution (RME) and denial-of-service (DoS) attacks.
Cisco says that the vulnerability is caused by the following factors in its threat report:
This vulnerability is due to improper validation of incoming UPnP traffic. An attacker could exploit this vulnerability by sending a crafted UPnP request to an affected device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system or cause the device to reload, resulting in a DoS condition.
There are no workarounds for CVE-2021-34730, and as stated earlier in this article, Cisco has decided not to patch this vulnerability. In a report for Kaspersky Lab’s Threatpost, reporter Tara Seals hones in on why this is the case. Seals says that the Cisco Small Business Routers RV110W, RV130, RV130W, and RV215W have all reached end-of-life. This occurred in September 2019, and as of December 2020, the company officially stopped releasing patches for the affected models.
However, what is odd is the decision by Cisco to release a recent threat report on such a critical vulnerability yet decide to do nothing about it. Why bother releasing the threat report in the first place? While one could surmise that it would incentivize businesses using the routers to upgrade, history shows this does not always happen. Look at how many systems have recently been compromised in the public and private sectors thanks to institutions insisting on using legacy systems.
Perhaps if a sudden outbreak of RCE and DoS attacks start occurring, especially since threat actors now know about CVE-2021-34730, Cisco may reverse its decision and patch the routers. Admittedly, this would have to be a significant crisis to warrant such action, so hopefully, it does not come to that.
Featured image: Cisco