Concurrent with the release of a software update that mitigates these vulnerabilities, Cisco Systems has disclosed CVE-2021-1609 and CVE-2021-1610, which affect a number of Small Business VPN routers in their product line. These vulnerabilities allow for arbitrary remote code execution, and in the case of CVE-2021-1610 allows for immediate root access. No passwords or credentials are required to exploit these vulnerabilities, simply network access to the device.
Therefore these routers are vulnerable to LAN administrative access, which can not be disabled, and are also vulnerable to remote attacks if WAN administrative access has been enabled (such access is disabled by default). The full list of affected devices is below:
CVE-2021-1609: Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers
CVE-2021-1610: Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers