Cisco has fixed several pre-authentication remote code execution (RCE) vulnerabilities affecting multiple small business VPN routers, allowing attackers to execute arbitrary code as root on successfully exploited devices.
The root user is the superuser of the system on Unix operating systems, a special user account that is normally only used for system administration tasks.
The 9.8 / 10 severity vulnerabilities were found in the web-based administration interface of Cisco small business routers.
“These vulnerabilities exist because HTTP requests are not properly validated,” said Cisco explained in a report published today.
“An attacker could exploit these vulnerabilities by sending a crafted HTTP request to the web-based management interface of an affected device.”
Security update available for all vulnerable routers
According to Cisco, the following small business routers are vulnerable to attacks attempting to exploit these vulnerabilities while running a firmware version …