Cisco Small Business RV320/RV325 Router Exposure Critical Vulnerability

If your work unit is using a Cisco Small Business RV320/RV325 Router, then be sure to remind your network administrators to install the latest firmware update released by Cisco last week.

According to the announcement issued by Cisco, CVE-2019-1652 exists in RV320 and RV325 Dual Gigabit WAN VPN Routers running firmware versions 1.4.2.15 to 1.4.2.19, and CVE-2019-1653 exists in firmware version 1.4. 2.15 and 1.4.2.17 of the RV320 and RV325 Dual Gigabit WAN VPN Routers.

  • CVE-2019-1652 – Cisco Small Business RV320 and RV325 Routers Command Injection Vulnerability
  • CVE-2019-1653 – The vulnerability allows an attacker to gain access to the Web-based management platform of the router affected by the vulnerability without any authentication, allowing an attacker to retrieve sensitive information, such as a router’s configuration file

The Cisco announcement states that the two vulnerabilities were discovered and submitted by the RedTeam Pentesting GmbH. These vulnerabilities exist in the web-based management interface used by RV320 or RV325 routers and can be used remotely.

https://twitter.com/bad_packets/status/1089001921627574272

David Davidson released a proof-of-concept attack code on two serious security vulnerabilities in Cisco RV320 and RV325 routers through the GitHub website last weekend, some cyberhackers began to actively exploit these two vulnerabilities. David Davidson’s proof-of-concept attack code published on the GitHub website can first retrieve the configuration file from the router using CVE-2019-1653 to obtain the voucher MD5 hash value, then use CVE-2019-1652 to execute arbitrary commands and fully control the vulnerable router.

According to a network security company, Bad Packets, they have discovered 9657 Cisco routers (6,247 RV320 and 3410 RV325) affected by the CVE-2019-1653 information disclosure vulnerability, most of which are located in the United States.

Cisco Small Business RV320/RV325 Router vulnerability

BAD PACKETS also said that since last Saturday, their honeypot system has detected a large number of scanning activities for RV320 and RV325 routers, indicating that some hackers are actively exploiting these two vulnerabilities to hijack the affected Cisco routers.