Attackers are targeting Cisco RV320/RV325 routers using new exploits

• Attacks on Cisco routers started within hours after the Proof-of-Concept code was published on Github.
• The vulnerabilities on both the routers could allow attackers to get sensitive device configuration details and could allow attackers to inject and run admin commands on the device.

Researchers have recently observed attacks against Cisco RV320 and RV325 WAN VPN routers. The attacks started on January 25, 2019, within hours after security researcher David Davidson published the Proof-of-Concept code for two Cisco RV320 and RV325 vulnerabilities.

The two Cisco vulnerabilities

The two vulnerabilities in Cisco RV320 and RV325 routers are CVE-2019-1652 and CVE-2019-1653.

• CVE-2019-1652 - This vulnerability could allow attackers to inject and run admin commands on the device without a password.
• CVE-2019-1653 - This vulnerability could allow attackers to get sensitive device configuration details without a password.

These two vulnerabilities were discovered by RedTeam Pentesting. The vulnerabilities were reported to Cisco and Cisco released patches for both the vulnerabilities on January 23, 2019.

Attacks against Cisco routers

However, the attackers were spotted using David’s proof-of-concept code to get device configuration details using CVE-2019-1653 and to run additionals admin commands to take full control over the device using CVE-2019-1652.

The attacks against Cisco routers was first noted by a security researcher of Bad Packets LLC, Troy Mursch. Mursch advised device users to update to the latest firmware version 14.2.20 and change the passwords of devices.

“It's likely these routers will be targeted by miscreants for abuse, but to what degree yet is unknown. CVE-2019-1652 allows for further exploitation once the credentials are obtained,” Mursch told ZDNet.

Vulnerable routers

Mursch tracked all the Cisco RV320 and RV325 routers that are vulnerable to these attacks using BinaryEdge search Engine. He tracked 9657 devices that are vulnerable, of which 6247 devices were Cisco RV320 routers and 3410 devices were Cisco RV325 routers.

Mursch also created an interactive map showing location of all the infected hosts with the data he obtained. The majority of these devices were found to be located on the networks of US ISPs.

“Due to the sensitive nature of these vulnerabilities, the IP addresses of the affected Cisco RV320/RV325 routers will not be published publicly. However, the list is freely available for authorized CERT teams to review. We've shared our findings directly with Cisco PSIRT and US-CERT for further investigation and remediation,” Mursch wrote in a report.