Concurrent with the release of a software update that mitigates these vulnerabilities, Cisco Systems has disclosed CVE-2021-1609 and CVE-2021-1610, which affect a number of Small Business VPN routers in their product line. These vulnerabilities allow for arbitrary remote code execution, and in the case of CVE-2021-1610 allows for immediate root access. No passwords or credentials are required to exploit these vulnerabilities, simply network access to the device.
Therefore these routers are vulnerable to LAN administrative access, which can not be disabled, and are also vulnerable to remote attacks if WAN administrative access has been enabled (such access is disabled by default). The full list of affected devices is below:
CVE-2021-1609: Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers
CVE-2021-1610: Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers
Exploits of these vulnerabilities have not yet been reported in the wild, although, with the disclosure, we can expect this situation to quickly change. If remote administration is enabled on these devices, these vulnerabilities represent critical risks to any networks to which the routers are connected. If remote administration is disabled, these vulnerabilities still represent a critical risk when chained with other exploits that enable access. Man in the Middle (MITM) attacks as well as persistence, lateral movement, and privilege escalation strategies are all possible to an attacker who has gained a temporary foothold via another method, such as the exploitation of a phishing link. There are no workarounds for these vulnerabilities. To patch, download firmware release 1.0.03.22 or higher, from the Cisco.com software center, via downloads for Small Business RV Series Routers.