Cisco, an American Multinational Conglomerate stated this week it does not plan on fixing vulnerabilities in end-of-life (EOL) Cisco routers, more than 70 vulnerabilities were spotted in CISCO’s Small Business RV110W, RV130, RV130W, and routers. Despite these vulnerabilities, the company has no intentions to fix these patches.
Cisco stated that these devices have reached end-of-life (EOL) hence there is no point in fixing the Cisco routers. The deadline regarding software maintenance releases and bug fixes was December 1, 2020. Cisco has released software updates to fix these vulnerabilities and said they are not mindful of threat actor exploits targeting the vulnerabilities.
CVE-2021-1144 recognized as a high severity bug (CVSS score of 8.8) in Connected Mobile Experiences (CMX) is the most valuable flaw which can be exploited by threat actors to alter the passwords for any user account on the system which includes administrator accounts as well. Threat actors can exploit the vulnerability by sending an altered HTTP request to a susceptible device.
CVE-2021-1237 (CVSS score of 7.8) is tracked as another high severity flow, it was detected in the AnyConnect Secure Mobility Client for Windows, influencing the Web Security Agent Components and the endpoint solution’s Network Access Manager. This vulnerability could be exploited by an authenticated and local threat actor for Dynamic Link Library (DLL) installation.
Cisco stated that “an attacker could exploit this vulnerability by inserting a configuration file in a specific path in the system which, in turn, causes a malicious DLL file to be loaded when the application starts. A successful exploit could allow the attacker to execute arbitrary code on the affected machine with SYSTEM privileges”.
Cisco issued 18 other recommendations explaining medium severity bugs in Proximity Desktop for Windows, ASR 5000 routers, Enterprise NFV Infrastructure Software (NFVIS), Webex, Finesse, Firepower Management Center (FMC), Video Surveillance 8000 IP Cameras, Unified Communications products, DNA Center, AnyConnect Secure Mobility Client, and CMX API authorizations.