In a security advisory published on Wednesday, Cisco said that a critical vulnerability in Universal Plug-and-Play (UPnP) service of multiple small business VPN routers will not be patched because the devices have reached end-of-life. The zero-day bug (tracked as CVE-2021-34730 and rated with a 9.8/10 severity score) is caused by improper validation of incoming UPnP traffic and was reported by Quentin Kaiser of IoT Inspector Research Lab. Unauthenticated attackers can exploit it to restart vulnerable devices or execute arbitrary code remotely as the root user on the underlying operating system. “Cisco has not released and will not release software updates to address the vulnerability described in this advisory,” the company says. “The Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers have entered the end-of-life process.” According to an announcement on Cisco’s website, the last day these RV Series routers were available for order was December 2, 2019. The company asks customers who are still using these router models to migrate to newer Cisco Small Business RV132W, RV160, or RV160W Routers that still receive security updates. The bug impacts the RV110W, RV130, RV130W, and RV215W router models ONLY if the UPnP service is toggled on.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is