Malware, Network Security, Patch/Configuration Management, Vulnerability Management

Attackers scanning unpatched Cisco small business routers after exploit code published

Cisco Systems last week issued security advisories for two dozen vulnerabilities, including two high-severity flaws in its Small Business RV320 and RV325 dual gigabit WAN VPN routers, which attackers are reportedly already trying to exploit with published proof-of-concept code.

Device owners are advised to immediately download Cisco's patches for the two exploited flaws, both of which reside within the routers' web-based management interface.

The first, CVE-2019-1652, is a command injection bug caused by improper validation of user-supplied input. The vulnerability, which affects routers running firmware releases through, can can allow authenticated, remote attackers with admin privileges to execute arbitrary commands on the underlying Linux shell as root.

The second flaw, CVE-2019-1653, affects
routers running firmware releases and The vulnerability allows unauthenticated remote attackers to retrieve sensitive information – including router configuration and diagnostic information – from the web-based interface, due to improper access controls for URLs.

The vulnerabilities were discovered by researchers at Germany's RedTeam Pentesting GmbH, who published exploits for the vulnerabilities on GitHub after Cisco distributed its advisory. These exploits can be used in tandem with each other to gain remote code execution on affected routers after initially retrieving and dumping their configurations.

And now attacks may be taking advantage. In a series of tweets and a blog post, Troy Mursch, chief research officer at Bad Packets Report, warned that "On Friday, January 25, 2019, our honeypots detected opportunistic scanning activity from multiple hosts targeting Cisco Small Business RV320 and RV325 routers."

"These scans consisted of a GET request for /cgi-in/config.exp which is the path that allows unauthenticated remote users to obtain an entire dump of the device’s configuration settings," Mursch continued in his blog post. "This includes the administrator credentials, however the password is hashed."

After scanning 15,309 unique IPv4 hosts, Bad Packets report found that 9,657 were susceptible to CVE-2019-1653. Most were located in the U.S., but altogether they were found in 122 different countries.

Also among the 24 vulnerabilities Cisco announced last week was CVE-2019-1651, a critical buffer overflow condition in its SD-WAN Solution. The issue, which was patched in release version 18.4.0, could allow an authenticated, remote attacker to cause a denial of service condition and execute arbitrary code as a root user, due to improper bounds checking by the vContainer.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.