A critical vulnerability in some end-of-life Cisco routers allowing a remote, unauthenticated attacker to gain root access won’t be fixed, according to the networking giant.

And while Cisco isn’t aware of any in-the-wild exploits of the 9.0-rated bug, tracked as CVE-2023-20025, or a second, less-sever Remote Command Execution flaw that also affects older small business routers, a proof-of-concept exploit does exist. 

In other words: time to toss your old kit or at the very least disabled the affected features before miscreants enlist the devices in a bot army. Cisco users are familiar with this however – kit gets old and can’t be supported forever.

CVE-2023-20025 is a critical vulnerability in the web-based management interface of Cisco small business RV016, RV042, RV042G, and RV082 routers. It’s down to improper validation of user input within incoming HTTP packets. 

“An attacker could exploit this vulnerability by sending a crafted HTTP request to the web-based management interface,” Cisco explained. “A successful exploit could allow the attacker to bypass authentication and gain root access on the underlying operating system.”

Although Cisco is not going to release any software updates to fix this flaw in the routers, which it stopped selling in 2020, administrators can disable the affected feature, which the vendor said mitigated the issue in a test environment. 

However, this isn’t a solid guarantee and it could hurt network performance. Even after disabling remote management and blocking access to ports 443 and 60443, the routers will still be accessible through the LAN interface, Cisco warned. 

The second bug described in the security advisory, CVE-2023-20026, is a remote command execution vulnerability in the same small business routers that received a 6.5 CVSS rating.

Although the bug affects the same product family, and Cisco included both CVEs in one alert, “exploitation of one of the vulnerabilities is not required to exploit the other vulnerability,” the vendor said.

A miscreant would need to have administrative credentials to exploit CVE-2023-20026. But assuming that was the case, they could send a specially crafted HTTP request to the web-based management interface to gain root privileges, execute a malicious command on the target device, and access private data. 

There’s no patch for this one, either, but, again, admins can disable the affected feature at their own risk. Cisco provides instructions on how to do this in the workarounds section of the advisory.

Hou Liuyang of Qihoo 360 Netlab found and responsibly disclosed both vulnerabilities. ®