Over 9,000 Cisco RV320/RV325 routers are vulnerable to CVE-2019-1653

On Friday, January 25, 2019, our honeypots detected opportunistic scanning activity from multiple hosts targeting Cisco Small Business RV320 and RV325 routers. A vulnerability exists in these routers that allow remote unauthenticated information disclosure (CVE-2019-1653) leading to remote code execution (CVE-2019-1652).

These scans consisted of a GET request for /cgi-bin/config.exp which is the path that allows unauthenticated remote users to obtain an entire dump of the device’s configuration settings. This includes the administrator credentials, however the password is hashed.

All configuration settings of the RV320/RV325 routers are exposed by this vulnerability.
All configuration settings of the RV320/RV325 routers are exposed by this vulnerability.

Using data provided by BinaryEdge, we’ve scanned  15,309 unique IPv4 hosts and determined 9,657 Cisco RV320/RV325 routers are vulnerable to CVE-2019-1653.

  • 6,247 out of 9,852 Cisco RV320 routers scanned are vulnerable
    (1,650 are not vulnerable and 1,955 did not respond to our scans)
  • 3,410 out of 5,457 Cisco RV325 routers scanned are vulnerable
    (1,027 are not vulnerable and 1,020 did not respond to our scans)
Of the vulnerable routers found, most were located in the United States.
Of the vulnerable routers found, most were located in the United States.

This interactive map shows the total vulnerable hosts found per country. Overall, vulnerable devices were found in 122 countries and on the network of 1,619 unique internet service providers (autonomous systems).

These routers can be exploited further using the leaked credentials (CVE-2019-1652) resulting in remote code execution detailed in the proof-of-concept published by David Davidson (0x27).

These vulnerabilities affect Cisco RV320/RV325 routers running firmware releases 1.4.2.15 and 1.4.2.17. Cisco has released a patch for these routers that should be applied immediately by anyone using outdated firmware. Changing the device’s admin and WiFi credentials is also highly recommended as they may already be compromised. Cisco has published an advisory providing further details here.

Closing remarks

Due to the sensitive nature of these vulnerabilities, the IP addresses of the affected Cisco RV320/RV325 routers will not be published publicly. However, the list is freely available for authorized CERT teams to review. We’ve shared our findings directly with Cisco PSIRT and US-CERT for further investigation and remediation.

Additional updates

Update 2019-01-27:
We’ve shared our findings with CIRCL and SingCERT regarding vulnerable routers in Luxembourg and Singapore, respectively.

Update 2019-01-28:
We’ve shared our findings with ACSCCanadian Centre for Cyber Security, CCBCERT.atCLCERTNCSC and Z-CERT.

Update 2019-01-29:
We’ve shared our findings with ANSSI/COSSI/CERT-FRCSIRT-IE, CERT-PT, and SK-CERT.

Update 2019-01-30:
Cisco PSIRT confirmed receipt of our report of vulnerable Cisco RV320/RV325 routers. We’ve also shared our findings with INCIBE-CERT.

Our honeypots detected incoming scans from new unique hosts checking for vulnerable Cisco RV320/RV325 routers.

Update 2019-01-31:
US-CERT / CISA confirmed receipt of our report and advised their Technical Analysis Branch is reviewing.

Update 2019-02-01:
We’ve shared our findings with CERT Polska.

Our honeypots detected incoming scans from a new unique host checking for Cisco RV320/RV325 routers vulnerable to CVE-2019-1653.

Update 2019-03-27:

In a disclosure posted today, RedTeam Pentesting revealed the firmware update released by Cisco for affected RV320/RV325 routers was not properly corrected.

Patched devices may still be vulnerable to unauthorized information disclosure if the user agent used by the attacker is something other than curl.

Update 2019-03-28:

Our latest scan results indicate over 8,000 Cisco RV320/RV325 routers are still vulnerable to CVE-2019-1653.

4 Replies to “Over 9,000 Cisco RV320/RV325 routers are vulnerable to CVE-2019-1653”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.