No fixes scheduled for Cisco router zero-day

Cisco announced that it will not release a patch to address a novel authentication bypass zero-day vulnerability impacting small business VPN routers that have already reached end-of-life, according to BleepingComputer. A faulty password validation algorithm has been regarded as the cause of the flaw, tracked as CVE-2022-20923, which affects Cisco's RV110W, RV130, RV130W, and RV215W routers, which were last available for order in December 2019. "A successful exploit could allow the attacker to bypass authentication and access the IPSec VPN network. The attacker may obtain privileges that are the same level as an administrative user, depending on the crafted credentials that are used," said Cisco. Despite the absence of proof-of-concept exploits or in-the-wild exploitation of the flaw, users of the now unsupported systems have been urged to upgrade to newer models. "Cisco has not released and will not release software updates to address the vulnerability described in this advisory. Customers are encouraged to migrate to Cisco Small Business RV132W, RV160, or RV160W Routers," said Cisco.