In a security advisory published on Wednesday, Cisco said that a critical vulnerability in Universal Plug-and-Play (UPnP) service of multiple small business VPN routers will not be patched because the devices have reached end-of-life. The zero-day bug (tracked as CVE-2021-34730 and rated with a 9.8/10 severity score) is caused by improper validation of incoming UPnP traffic and was reported by Quentin Kaiser of IoT Inspector Research Lab. Unauthenticated attackers can exploit it to restart vulnerable devices or execute arbitrary code remotely as the root user on the underlying operating system. “Cisco has not released and will not release software updates to address the vulnerability described in this advisory,” the company says. “The Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers have entered the end-of-life process.” According to an announcement on Cisco’s website, the last day these RV Series routers were available for order was December 2, 2019. The company asks customers who are still using these router models to migrate to newer Cisco Small Business RV132W, RV160, or RV160W Routers that still receive security updates. The bug impacts the RV110W, RV130, RV130W, and RV215W router models ONLY if the UPnP service is toggled on.
Any company that is using Cisco Small Business routers RV110W, RV130, RV130W, or RV215W, should migrate to the newer RV132W, RV160, or RV160W as soon as possible because even though there isn’t currently a public proof of concept exploit available for this zero day, threat actors knowing it exists can work to rediscover it and start exploiting it in the wild. If unable to migrate to newer routers in the near future, consider turning off the vulnerable UPnP service.