Active Scans Target Vulnerable Cisco Routers for Remote Code-Execution

cisco patch vulnerability

Cyberattackers are targeting a pair of just-patched vulnerabilities that allow remote unauthenticated information disclosure leading to remote code-execution.


Malicious scanning activity targeting Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN routers is underway, with a swell of opportunistic probes looking for vulnerable devices ramping up since Friday.

According to Bad Packets Report’s honeypot data, cyberattackers are targeting a pair of just-patched vulnerabilities that allow remote unauthenticated information disclosure (CVE-2019-1653) leading to remote code-execution (CVE-2019-1652) on the routers. There are more than 9,000 routers open to the attack, the firm found.

The first vulnerability exists in the web-based management interface for RV320/RV325; a simple GET request for /cgi-bin/config.exp returns full details of the device’s configuration settings, including administrator credentials (the password is hashed though).

“[This] could allow an unauthenticated, remote attacker to retrieve sensitive configuration information,” explained researcher Troy Mursch, in an advisory published over the weekend. “All configuration details of the RV320/RV325 router are exposed by this vulnerability.”

Bad Packets Report’s own scanning efforts using BinaryEdge, which canvassed 15,309 unique IPv4 hosts, determined that 9,657 Cisco RV320/RV325 routers are vulnerable to CVE-2019-1653: Broken down, it works out to 6,247 vulnerable out of 9,852 Cisco RV320 routers scanned; and 3,410 vulnerable out of 5,457 Cisco RV325 routers scanned.

These are mostly located in the United States, Mursch said, though overall, vulnerable devices were found in 122 countries and on the networks of 1,619 different ISPs – making for a significant, global attack surface.

Once a malefactor has gained admin credentials, he or she can further exploit the router after signing in. The CVE-2019-1652 flaw allows an authenticated, remote attacker with administrative privileges on an affected device to execute arbitrary commands. The vulnerability is due to improper validation of user-supplied input.

“An attacker could exploit this vulnerability by sending malicious HTTP POST requests to the web-based management interface of an affected device,” according to Cisco’s documentation. “A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux shell as root.”

A proof-of-concept for remote code-execution has been detailed by researcher/grey hat David Davidson, but Mursch noted that there are mitigating circumstances.

“In regards to how the routers are going to be exploited once compromised, it’s not fully known yet,” he told Threatpost. “At this point, I can only confirm threat actors are only taking inventory of vulnerable devices by scraping the leaked configuration files and credentials. The actual damage may be limited due to the capabilities (or lack thereof) noted by David Davidson. Only time will tell.”

Davidson’s tweet explained:

One interesting point to note is that the vulnerability also results in the SSID being leaked.
“This allows attackers to use services such as WiGLE to determine the physical location of the router,” Mursch told Threatpost.
This was also the case in the recent Orange Livebox vulnerability, Mursch pointed out. That means that an attacker can mount a variety of on-location proximity hacks, and it also allows easier botnet-building given that many admins use the same credentials for the administrative panel as well as the WiFi network — opening the door to more devices to enslave.

The vulnerabilities affect Cisco RV320/RV325 routers running firmware releases and Cisco’s patch should be applied immediately, and administrators should change their devices’ admin and WiFi credentials to thwart any compromise that may have already occurred.

This post was updated at 6:13 p.m. ET on Jan. 28, with comments from Mursch.

Suggested articles