Cisco has fixed critical flow in wireless VPN and firewall routers. Cisco said that CVE-2019-1663, which has a CVSS score of 9.8, allows unauthenticated, an attacker can execute remote arbitrary code.
The vulnerability was discovered by security researchers Yu Zhang and Haoliang Lu, and T. Shiomitsu of Pen Test Partners.
The vulnerability, CVE-2019-1663, has a CVSS score of 9.8 and impacts the Cisco RV215W Wireless-N VPN Router, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV110W Wireless-N VPN Firewall. These small business routers are used for wireless connectivity in small offices and home offices.
A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system of the affected device as a high-privilege user
Cisco has tagged this vulnerability with CWE-119, it remarks buffer overflow vulnerability. This means that a user input field on these devices can be manipulated into dropping code into the device’s memory, which it then executes at the system level. In other words, user input fields is not proper validated.
Cicso patched software version: RV130W Wireless-N Multifunction VPN, Router version 220.127.116.11,RV215W Wireless-N VPN Router version 18.104.22.168 and RV110W Wireless-N VPN Firewall version 22.214.171.124