Cisco RV320/RV325 WAN Router Vulnerability Threatens Internet Providers And The Enterprise

cisco rv325
For organizations that are reliant on Cisco RV320 and RV325 WAN VPN routers, we implore you to -- if you haven't already -- apply two patches that were issued late last week. The patches address the following vulnerabilities:

  • CVE-2019-1652: A vulnerability in the web-based management interface that could allow an authenticated, remote attacker with administrative privileges on an affected device to execute arbitrary commands.
  • CVE-2019-1653: A vulnerability in the web-based management interface that could allow an unauthenticated, remote attacker to retrieve sensitive information. 

According to BleepingComputer, both vulnerabilities were discovered by German firm RedTeam Pentesting and were privately disclosed to Cisco, which prompted the company to release the above patches. However, things took a turn for the worst when a security researcher, David Davidson, decided to post a proof-of-concept [via GitHub] for chaining the two exploits together to initiate a successful attack against unpatched RV320 and RV325 routers.

The chances that all affected routers would be patched in a matter of just a few days is wishful thinking, which is why some rather resourceful hackers are already building on Davidson's work to obtain full control over the affected routers.

Thanks to an investigation by Bad Packets Report, it was discovered that nearly 9,700 Cisco routers are affected (the vast majority of which are located in the United States), with attackers having the potential to gain access to "an entire dump of the device's configuration settings" using CVE-2019-1653. Hackers also could gain access to administrator credentials, although password information is hashed.

However, when combined with CVE-2019-1652, remote code execution allows deeper access to device commands and the eventual full control of targeted devices.

At this point, the first course of action would be to of course apply Cisco's patches for the RV320 and RV325. The second move would be to change admin and Wi-Fi credentials as those details very well may have been leaked at this point.