Cisco recently warned of a critical vulnerability, tracked as CVE-2023-20025 (CVSS score of 9.0), that impacts small business RV016, RV042, RV042G, and RV082 routers. The IT giant announced that these devices will receive no security updates to address the bug because they have reached end of life (EoL).
The flaw is an authentication bypass issue that resides in the web-based management interface of the routers, an attacker. An unauthenticated, remote attacker can exploit the CVE-2023-20025 flaw to bypass authentication on vulnerable devices.
The flaw is due to improper validation of user input within incoming HTTP packets.
An attacker could trigger the flaw by sending a specially crafted HTTP request to the web-based management interface.
“A successful exploit could allow the attacker to bypass authentication and gain root access on the underlying operating system.” reads the advisory published by the company. “Cisco has not and will not release software updates that address this vulnerability. There are no workarounds that address this vulnerability.”
The communications technology firm said that there are no workarounds to fix this flaw, however, admins may disable remote management and block access to ports 443 and 60443.
