Hackers are going after Cisco RV320/RV325 routers using a new exploit

Attacks on Cisco routers started hours after the publication of proof-of-concept code on GitHub.

Cisco RV320 router

Cisco RV320 router

Image: Cisco // Composition: ZDNet

Security researchers have observed ongoing internet scans and exploitation attempts against Cisco RV320 and RV325 WAN VPN routers, two models very popular among internet service providers and large enterprises.

Also: Cisco removed its seventh backdoor account 

Attacks started on Friday, January 25, after security researcher David Davidson published a proof-of-concept exploit for two Cisco RV320 and RV325 vulnerabilities.

The vulnerabilities are:

  • CVE-2019-1653 - allows a remote attacker to get sensitive device configuration details without a password.
  • CVE-2019-1652 - allows a remote attacker to inject and run admin commands on the device without a password.

Both vulnerabilities were discovered and privately reported to Cisco by Germany security firm RedTeam Pentesting [1, 2, 3]. Cisco released patches for both issues on Wednesday, January 23 [1, 2].

The current consensus is that attackers are using Davidson's proof-of-concept code to retrieve configuration details using CVE-2019-1652 and then using CVE-2019-1653 to run additional commands, taking full control over vulnerable devices.

"I would advise affected users to upgrade to firmware version 1.4.2.20 and change their device passwords immediately," said security researcher Troy Mursch, of Bad Packets LLC, who first spotted the scans on Friday.

"It's likely these routers will be targeted by miscreants for abuse, but to what degree yet is unknown. CVE-2019-1652 allows for further exploitation once the credentials are obtained," Mursch told ZDNet.

"I'm in agreement with this guy," Mursch added, pointing ZDNet to one of Davidson's tweets.

Mursch also used BinaryEdge, a search engine for internet-connected devices, to track down all the Cisco RV320 and RV325 routers that are vulnerable to these attacks.

After a night of investigating, the researcher tracked down 9,657 devices --of which 6,247 are Cisco RV320 routers, and the rest, 3,410, are Cisco RV325 routers.

Mursch has built an interactive map with the data he obtained, showing location of all infected hosts. The vast majority of these devices are located on the networks of US ISPs.

"Due to the sensitive nature of these vulnerabilities, the IP addresses of the affected Cisco RV320/RV325 routers will not be published publicly. However, the list is freely available for authorized CERT teams to review. We've shared our findings directly with Cisco PSIRT and US-CERT for further investigation and remediation," Mursch wrote in a separate report published today.

As Mursch pointed out earlier in the article, the simplest way to mitigate these attacks would be to update the Cisco RV320 and RV325 router firmware. Get patchin'!

More security coverage: