The good news is that you need to enable Remote Management for an outside attack. The bad news is that “The vulnerability allows any attacker with any browser to execute code of their choice via the web interface used for managing Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router.”
Saw it on Tech Republic this AM (Tech Republic is a Ziff Davis unit owned by CBS) another day late and dollar short that you pay big dollars for. Cisco is not very forthcoming about flaws in their products. Perhaps due to an over expanded product lines insufficient budgets for development and testing. Cisco’s acquisition spree has them busy rebranding, marketing and raising prices as in the case of OpenDNS to address faults in their core products. End users should demand better especially for the price paid.
Well, they did not really fix the issue with the RV320 exploitation that does not require any authentication. Cisco just blocked the curl user agent. So you can still get to it using something like curl -A “Totally_Not_Kurl”
I wonder if the “you can’t get fired for buying Cisco” adage still holds true?
Cisco’s track record is getting closer to Microsoft’s. Could it be the hurry up get it out, quick fix, make everyone feel good approach to product development and patching?