A critical vulnerability in older Cisco Systems Inc. routers will remain unpatched after the company advised that they have reached end-of-life status.

The vulnerability is in the Universal Plug-and-Play service in Cisco Small Business RV110W, RV130, RV130W and RV214W routers. Rated by Cisco as “critical,” it could allow an unauthenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly, resulting in a denial-of-service condition.

The vulnerability is the result of improper validation of incoming UPnP traffic. An attacker could exploit this vulnerability by sending a crafted UPnP request to an affected device. A successful exploit could allow the attacker to obtain root status on the underlying operating system or cause the device to reload, resulting in a DoS condition.

Although it’s arguably nice that Cisco has at least alerted users, it then went on to say in its Aug. 18 notice that “Cisco has not released software updates that address this vulnerability.” It added that there are no workarounds to address the vulnerability either.

That said, Cisco noted that administrators can disable the affected feature by disabling UPnP on the LAN interface of the device.

“Exploiting this vulnerability in a default configuration requires the threat actor to have access to the internal network,” Jake Williams, co-founder and chief technology officer at incident response firm BreachQuest Inc., told SiliconANGLE. “That can be gained through something as easy as a phishing email. Once inside, the threat actor can use this vulnerability to easily take control of the device using an exploit.”

Noting that the vulnerable devices are widely deployed in smaller business environments, Williams also said some larger organizations also use the devices for remote offices.

“While UPnP is an extremely useful feature for home users, it has no place in business environments,” Williams explained. “Cisco likely leaves the UPnP feature enabled on its small business product line because those environments are less likely to have dedicated support staff who can reconfigure a firewall as needed for a product.”

Yaniv Bar-Dayan, co-founder and chief executive officer of cyber risk remediation company Vulcan Cyber Ltd., said the vulnerabilities should be taken seriously by network security teams. “Exposure should be identified and prioritized based on contextualized business risk,” he said. “Based on this measure of risk, steps to mitigate the threat should be taken to protect the business.”

Image: Cisco