Cisco has patched multiple remote code execution vulnerabilities in Small Business router models RV160, RV160W, RV260, RV260P and RV260W VPN Routers.
An attacker could remotely exploit some of these vulnerabilities to take control of an impacted system.
Small Business routers
Cisco patched seven vulnerabilities (CVE-2021-1289, CVE-2021-1290, CVE-2021-1291, CVE-2021-1292, CVE-2021-1293, CVE-2021-1294 and CVE-2021-1295) in the web-based management interface of the Cisco Small Business Router models that could result in arbitrary code execution.
“These vulnerabilities exist because HTTP requests are not properly validated. An attacker could exploit these vulnerabilities by sending a crafted HTTP request to the web-based management interface of an affected device,” Cisco explained in the advisory.
Moreover the vulnerabilities affect the following Cisco Small Business Routers if running an older firmware than Release 1.0.01.02:
- RV160, RV260 VPN Routers
- RV160W, RV260W Wireless-AC VPN Routers
- RV260P VPN Router with POE.
Users are strongly urged to update affected devices as soon as possible.
Other Cisco updates
Cisco also updated a previously released advisory for a Sudo Privilege Escalation Vulnerability CVE-2021-3156. The latest advisory updated the lists of products under investigation, vulnerable products and products confirmed not vulnerable.
Researchers discovered the vulnerability CVE-2021-3156 in open-source sudo utility could allow regular users to gain root privileges on vulnerable Linux hosts without authentication.
Moreover, Cisco also patched the following vulnerabilities since February 4, 2021:
- Cisco Identity Services Engine Cross-Site Scripting Vulnerability (CVE-2020-3551)
- Cisco Identity Services Engine Privilege Escalation Vulnerability (CVE-2020-27122)
- Cisco IOS XR Software Enf Broker Denial of Service Vulnerability (CVE-2021-1288 and CVE-2021-1313).
CVE-2021-1289, CVE-2021-1290, CVE-2021-1291, CVE-2021-1292, CVE-2021-1293, CVE-2021-1294 and CVE-2021-1295