Cisco routers and VPN are at risk once again

News
By published

Install the patches for these five critical vulnerabilities now

cisco logo
(Image credit: Shutterstock / Ken Wolter)

Cisco is rolling out a new security update that patches a grand total of 34 vulnerabilities in a number of the company's products and software including its small business and VPN routers and of these, five have been labeled as critical.

The first of these critical vulnerabilities, tracked as CVE-2020-3330 with a CVSS score of 9.8, impacts the Telnet service in Cisco Small Business RV110W  Wireless-N VPN Firewall routers. This security flaw is caused by using the device's default, static password and if this password is obtained by an attacker, the router can be hijacked remotely.

The second critical vulnerability, tracked as CVE-2020-3323 also with a CVSS score of 9.8, impacts Cisco's Small Business RV110W, RV130, RV130W and RV215W routers. The flaw resides in the online management portal for these routers that has improper validation problems which can be exploited by using malicious HTTP requests.

The third vulnerability with a CVSS score of 9.8, tracked as CVE-2020-3144, also impacts this same router line and once again, the security flaw resides in the device's web management portal. If exploited though, it could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary commands on an affected device.

Critical vulnerabilities

Cisco's RV110W Wireless-N VPN Firewall and Cisco RV215W Wireless-N VPN router are also affected by a vulnerability tracked as CVE-2020-3331 with a CVSS score of 9.8 that can be exploited by an attacker to execute arbitrary code with root privileges. This bug is found in the firewall and router's web management interface and results from how user input is handled by the devices.

The final critical vulnerability Cisco patched, tracked as CVE-2020-3140 and also with a CVSS score of 9.8, is present in Cisco Prime License Manager (PLM). This is another web management portal issue that is caused by improper user input handling and the bug can be abused by an attacker sending malicious requests. While this vulnerability could potentially lead to administrator-level privilege escalation, an attacker would need a valid username to exploit it.

In addition to these five critical vulnerabilities, Cisco also released a number of fixes for its other products and services including Identity Services, SD-Wan vManage and vEdge, Webex meetings and more. The company's customers should accept any automatic updates that come through to address these vulnerabilities or manually update their devices and software.

Via ZDNet

Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Latest in VPN Privacy & Security
A computer file surrounded by red laser beams
Cover your tracks: the risk of sending unencrypted files
Using an Amazon Fire Stick on a Smart TV
How to use a VPN with Fire Stick
Close up of PS5 DualSense controller leaning on a PS5
5 reasons your PS5 needs a VPN
Tor
What is Onion over VPN?
In this photo illustration a Google Play logo seen displayed on a smartphone.
Why is there so much spyware hidden in the Play Store?
PrivadoVPN running on an iPhone during TechRadar's VPN tests
Why PrivadoVPN Free is still the best free VPN for streaming
Latest in News
Google Pixel 8a in aloe green showing
Google Pixel 9a benchmark link teases the performance of the upcoming mid-ranger
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 17 (game #1148)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Monday, March 17 (game #379)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Monday, March 17 (game #645)
Apple iPhone 16 Pro HANDS ON
Leaked iPhone 17 dummy units may have given us our best look yet at all four models
A super close up image of the Google Gemini app in the Play Store
It's official: Google Assistant will be retired for phones this year, with Gemini taking over
More about vpn privacy security
A computer file surrounded by red laser beams

Cover your tracks: the risk of sending unencrypted files
Using an Amazon Fire Stick on a Smart TV

How to use a VPN with Fire Stick
Zorin OS 17 main image

I tried the latest version of Zorin OS - here's what I thought of this Linux distro
See more latest
Most Popular
BraX3
This obscure brand wants to launch the most privacy-friendly smartphone ever without Google, but with a mysterious open-source OS at its core
HAMR
Seagate reportedly sold two billion GBs worth of storage to two of the world's largest tech companies
Google Pixel 8a in aloe green showing
Google Pixel 9a benchmark link teases the performance of the upcoming mid-ranger
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Monday, March 17 (game #645)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Monday, March 17 (game #379)
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 17 (game #1148)
Oracle
Bluehost owner is moving to Oracle Cloud, so could thousands of websites be about to migrate?
Money
Financial leaders still rely on regular tools like Excel for automation tasks over AI
Two examples of the Asus Fragrance Mouse MD101 sitting on a table
Your next computer mouse could have a fragrance compartment for aromatherapy oils – and this Asus idea is nothing to sniff at
Apple iPhone 16 Pro HANDS ON
Leaked iPhone 17 dummy units may have given us our best look yet at all four models