On Friday, January 25, 2019, our honeypots detected opportunistic scanning activity from multiple hosts targeting Cisco Small Business RV320 and RV325 routers. A vulnerability exists in these routers that allow remote unauthenticated information disclosure (CVE-2019-1653) leading to remote code execution (CVE-2019-1652).
⚠️ WARNING ⚠️
Incoming scans detected from multiple hosts checking for vulnerable Cisco RV320/RV325 routers.
A vulnerability in the web-based management interface of these routers could allow an unauthenticated, remote attacker to retrieve sensitive configuration information. pic.twitter.com/OhQD55WNZD
— Bad Packets Report (@bad_packets) January 25, 2019
These scans consisted of a GET request for /cgi-in/config.exp which is the path that allows unauthenticated remote users to obtain an entire dump of the device’s configuration settings. This includes the administrator credentials, however the password is hashed.
Using data provided by BinaryEdge, we’ve scanned 15,309 unique IPv4 hosts and determined 9,657 Cisco RV320/RV325 routers are vulnerable to CVE-2019-1653.
- 6,247 out of 9,852 Cisco RV320 routers scanned are vulnerable
(1,650 are not vulnerable and 1,955 did not respond to our scans)
- 3,410 out of 5,457 Cisco RV325 routers scanned are vulnerable
(1,027 are not vulnerable and 1,020 did not respond to our scans)
This interactive map shows the total vulnerable hosts found per country. Overall, vulnerable devices were found in 122 countries and on the network of 1,619 unique internet service providers (autonomous systems).
These vulnerabilities affect Cisco RV320/RV325 routers running firmware releases 188.8.131.52 and 184.108.40.206. Cisco has released a patch for these routers that should be applied immediately by anyone using outdated firmware. Changing the device’s admin and WiFi credentials is also highly recommended as they may already be compromised. Cisco has published an advisory providing further details here.
Due to the sensitive nature of these vulnerabilities, the IP addresses of the affected Cisco RV320/RV325 routers will not be published publicly. However, the list is freely available for authorized CERT teams to review. We’ve shared our findings directly with Cisco PSIRT and US-CERT for further investigation and remediation.