New Exploit Threatens Over 9,000 Hackable Cisco RV320/RV325 Routers Worldwide
If your company uses Cisco RV320 or RV325 Dual Gigabit WAN VPN routers, then technicians should immediately install the latest firmware update released by the Cisco last week.
Cyber attackers have actively been exploiting two newly patched high-severity router vulnerabilities, after a security researcher released their proof-of-concept exploit code on the Internet last weekend. The vulnerabilities in question are a command injection flaw (assigned CVE-2019-1652) and an information disclosure flaw (assigned CVE-2019-1653). This a combination of which could allow a remote attacker to take full control of an affected Cisco router.
The first issue exists in RV320 and RV325 dual gigabit WAN VPN routers running firmware versions 1.4.2.15 through 1.4.2.19, and the second affects firmware versions 1.4.2.15 and 1.4.2.17, according to the Cisco’s advisory.[1]
Researchers found at least 9,657 Cisco routers (6,247 RV320 and 3,410 RV325) worldwide that are vulnerable to the information disclosure vulnerability, most of which located in the United States.[2] Researchers shared an interactive map, showing all vulnerable RV320/RV325 Cisco routers in 122 countries and on the network of 1,619 unique internet service providers. Honeypots detected opportunistic scanning activity for vulnerable routers from multiple hosts from 26 January 2019, suggesting the hackers are actively trying to exploit the flaws to take full control of the vulnerable routers.
Administrators who have not yet applied the firmware update are highly recommended to change their router's admin and WiFi credentials considering themselves already compromised.[3]
Contact the Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com
[1] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-inject
[2] https://badpackets.net/over-9000-cisco-rv320-rv325-routers-vulnerable-to-cve-2019-1653/
[3] TheHackerNews, 28 Jan 2019
Comments