8k Cisco RV320/RV325 routers are still leaking their admin credentials

On Friday, January 25, 2019, our honeypots detected opportunistic scanning activity from multiple hosts targeting Cisco Small Business RV320 and RV325 routers. A vulnerability exists in these routers that allow remote unauthenticated information disclosure ( CVE-2019-1653 ) leading to remote code execution ( CVE-2019-1652 ).

These scans consisted of a GET request for /cgi-bin/config.exp which is the path that allows unauthenticated remote users to obtain an entire dump of the device’s configuration settings. This includes the administrator credentials, however the password is hashed.

All configuration settings of the RV320/RV325 routers are exposed by this vulnerability.

Using data provided by BinaryEdge , we’ve scanned  15,309 unique IPv4 hosts and determined 9,657 Cisco RV320/RV325 routers are vulnerable to CVE-2019-1653.

• 6,247 out of 9,852 Cisco RV320 routers scanned are vulnerable
  (1,650 are not vulnerable and 1,955 did not respond to our scans)
• 3,410 out of 5,457 Cisco RV325 routers scanned are vulnerable
  (1,027 are not vulnerable and 1,020 did not respond to our scans)

Of the vulnerable routers found, most were located in the United States.

This interactive map shows the total vulnerable hosts found per country. Overall, vulnerable devices were found in 122 countries and on the network of 1,619 unique internet service providers (autonomous systems).

These routers can be exploited further using the leaked credentials (CVE-2019-1652) resulting in remote code execution detailed in the proof-of-concept published by David Davidson ( 0x27 ).

These vulnerabilities affect Cisco RV320/RV325 routers running firmware releases 1.4.2.15 and 1.4.2.17. Cisco has released a patch for these routers that should be applied immediately by anyone using outdated firmware. Changing the device’s admin and WiFi credentials is also highly recommended as they may already be compromised. Cisco has published an advisory providing further details here .

Closing remarks

Due to the sensitive nature of these vulnerabilities, the IP addresses of the affected Cisco RV320/RV325 routers will not be published publicly. However, the list is freely available for authorized CERT teams to review. We’ve shared our findings directly with Cisco PSIRT and US-CERT for further investigation and remediation.

Additional updates

Update 2019-01-30:

Cisco PSIRT confirmed receipt of our report of vulnerable Cisco RV320/RV325 routers. We’ve also shared our findings with  INCIBE-CERT .

Our honeypots detected incoming scans from new unique hosts checking for vulnerable Cisco RV320/RV325 routers.

Our honeypots detected incoming scans from a new unique host checking for Cisco RV320/RV325 routers vulnerable to CVE-2019-1653.

Update 2019-03-27:

In a disclosure posted today, RedTeam Pentesting revealed the firmware update released by Cisco for affected RV320/RV325 routers was not properly corrected.

Patched devices may still be vulnerable to unauthorized information disclosure if the user agent used by the attacker is something other than curl .

Cisco firmware update for RV320/RV325 routers simply blacklisted the user agent for curl. ‍♂️ https://t.co/iWrUn98vcr

— Bad Packets Report (@bad_packets) March 27, 2019

Update 2019-03-28:

Our latest scan results indicate over 8,000 Cisco RV320/RV325 routers are still vulnerable to CVE-2019-1653.

Using the latest data from @binaryedgeio , we've scanned 14,045 Cisco RV320/RV325 routers and found 8,827 are leaking their configuration file, including admin credentials, to the public internet.

Map of total vulnerable hosts found per country: https://t.co/8TDKyIGUTe pic.twitter.com/7ffywLebEt

— Bad Packets Report (@bad_packets) March 28, 2019