Cisco SOHO Wireless VPN Firewalls and Routers Open to Attack (Feb 28, 2019)
A vulnerability, registered as “CVE-2019-1633,” has been confirmed by Cisco to affect some of its products. The vulnerability can be exploited by a custom HTTP request and is located “in the web-based management interface” of multiple products including: RV110W Wireless-N VPN Firewall, RV130W Wireless-N Multifunction VPN Router, and RV215W Wireless-N VPN Router. A threat actor could exploit this vulnerability to execute arbitrary code on an affected device.
Recommendation: Threat actors are often observed to use vulnerabilities even after they have been patched by the affected company. Therefore, it is crucial that policies are in place to ensure that all patches are applied when able to avoid potential malicious activity. While there is no proof-of-concept code available for this vulnerability as of this writing, the mention of the existence of the vulnerability will cause threat actors to attempt to exploit it. Additional information on CVE-2019-1663 can be found on Cisco’s security advisory located here: “https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190227-rmi-cmd-ex”
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.