On Friday, January 25, 2019, our honeypots detected opportunistic scanning activity from multiple hosts targeting Cisco Small Business RV320 and RV325 routers. A vulnerability exists in these routers that allow remote unauthenticated information disclosure (CVE-2019-1653) leading to remote code execution (CVE-2019-1652).
⚠️ WARNING ⚠️
Incoming scans detected from multiple hosts checking for vulnerable Cisco RV320/RV325 routers.
A vulnerability in the web-based management interface of these routers could allow an unauthenticated, remote attacker to retrieve sensitive configuration information. pic.twitter.com/OhQD55WNZD
— Bad Packets Report (@bad_packets) January 25, 2019
These scans consisted of a GET request for /cgi-bin/config.exp which is the path that allows unauthenticated remote users to obtain an entire dump of the device’s configuration settings. This includes the administrator credentials, however the password is hashed.
Using data provided by BinaryEdge, we’ve scanned 15,309 unique IPv4 hosts and determined 9,657 Cisco RV320/RV325 routers are vulnerable to CVE-2019-1653.
- 6,247 out of 9,852 Cisco RV320 routers scanned are vulnerable
(1,650 are not vulnerable and 1,955 did not respond to our scans)
- 3,410 out of 5,457 Cisco RV325 routers scanned are vulnerable
(1,027 are not vulnerable and 1,020 did not respond to our scans)
This interactive map shows the total vulnerable hosts found per country. Overall, vulnerable devices were found in 122 countries and on the network of 1,619 unique internet service providers (autonomous systems).
These vulnerabilities affect Cisco RV320/RV325 routers running firmware releases 18.104.22.168 and 22.214.171.124. Cisco has released a patch for these routers that should be applied immediately by anyone using outdated firmware. Changing the device’s admin and WiFi credentials is also highly recommended as they may already be compromised. Cisco has published an advisory providing further details here.
Due to the sensitive nature of these vulnerabilities, the IP addresses of the affected Cisco RV320/RV325 routers will not be published publicly. However, the list is freely available for authorized CERT teams to review. We’ve shared our findings directly with Cisco PSIRT and US-CERT for further investigation and remediation.
Cisco PSIRT confirmed receipt of our report of vulnerable Cisco RV320/RV325 routers. We’ve also shared our findings with INCIBE-CERT.
Our honeypots detected incoming scans from new unique hosts checking for vulnerable Cisco RV320/RV325 routers.
We’ve shared our findings with CERT Polska.
Our honeypots detected incoming scans from a new unique host checking for Cisco RV320/RV325 routers vulnerable to CVE-2019-1653.
In a disclosure posted today, RedTeam Pentesting revealed the firmware update released by Cisco for affected RV320/RV325 routers was not properly corrected.
Patched devices may still be vulnerable to unauthorized information disclosure if the user agent used by the attacker is something other than curl.
Cisco firmware update for RV320/RV325 routers simply blacklisted the user agent for curl. 🤦♂️ https://t.co/iWrUn98vcr
— Bad Packets Report (@bad_packets) March 27, 2019
Using the latest data from @binaryedgeio, we've scanned 14,045 Cisco RV320/RV325 routers and found 8,827 are leaking their configuration file, including admin credentials, to the public internet.
— Bad Packets Report (@bad_packets) March 28, 2019