Cisco will not patch serious security hole in its old VPN routers

VPN
(Image credit: Shutterstock / Elaine333)

Cisco has disclosed that some models of its small business VPN routers ship with a vulnerable Universal Plug-and-Play (UPnP) service that can be exploited to either remotely run arbitrary code or cause the device to restart unexpectedly. 

However, the company has refused to issue a patch to plug the vulnerability, arguing that the devices have reached end-of-life. 

“Cisco has not released and will not release software updates to address the vulnerability described in this advisory,” shared Cisco in its advisory.

TechRadar needs you!

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window <<

The zero-day bug, tracked as CVE-2021-34730, and rated with a critical severity score of 9.8, exists due to the improper validation of incoming UPnP traffic, and was reported by cybersecurity researchers from IoT Inspector Research Lab.

End of the line

Cisco shared that the small business VPN routers that are affected by this vulnerability include the RV110W, RV130, RV130W, and RV215W, all of which have reached end-of-life and aren’t actively supported.

The company advises owners of the vulnerable devices to switch to newer, supported versions, namely the RV132W, RV160, and RV160W router.

For what it’s worth though, as far as Cisco’s Product Security Incident Response Team (PSIRT) can tell there are no publicly known exploits of the vulnerability.

Furthermore, the vulnerability can be exploited only if the UPnP service is toggled on in the affected models. While Cisco has shared that the service is enabled by default, to protect themselves against exploits, owners of the vulnerable devices can simply disable the UPnP service.

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.