Cisco issues updates after vulnerabilities discovered in small business routers

Problems concern its RV160, RV260, RV340, and RV345 Series Routers, with some updates still yet to be released

Cisco says it has released software updates to address some of the multiple vulnerabilities it has discovered in its routers for small businesses.

Five of the vulnerabilities unveiled by Cisco were marked critical, with three of them ranked 10/10 on the Common Vulnerability Scoring System.

The networking giant released an advisory detailing the issues concerning its RV160, RV260, RV340, and RV345 Series Routers.

It admitted the vulnerabilities could allow hackers to execute arbitrary code, elevate privileges, execute arbitrary commands, bypass authentication and authorisation protections, fetch and run unsigned software and cause denial of service (DoS).

The first of the three 10/10 rated flaws concerns could allow an "unauthenticated, remote attacker to execute arbitrary code on an affected device".

And the second impacting its RV Series Routers is a problem in the web-based management interface of which the company admits "could allow a remote attacker to elevate privileges to root" - due to "insufficient authorisation enforcement mechanisms".

Finally, the third 10/10 ranked vulnerability could allow an unauthenticated, remote attacker to "inject and execute arbitrary commands on the underlying operating system "due to "insufficient validation of user-supplied input".

An additional two vulnerabilities were marked 9 and 9.3 on the Common Vulnerability Scoring System, while six of the others have a high rating - meaning they've scored between 7.0 and 8.9 on the scale.

Cisco said that it has "released software updates that address these vulnerabilities" and that "there are no workarounds that address these vulnerabilities".

But the vendor is still working on fixes for identified vulnerabilities for the RV160 and RV260 Series Routers "as quickly as possible".

"Of the vulnerabilities identified in the advisory, five have fixes available today in the firmware release 1.0.01.07. The remaining fix (addressing a particular attack scenario of CVE-2022-20705) will be released as soon as possible in February," it added.