Best Top Reviews Online

Active Scans Target Cisco Routers Vulnerable to Remote Code Execution

Two recently patched vulnerabilities that allow remote unauthenticated information disclosure and remote code execution are being targeted by cybercriminals.


Ongoing malicious scanning activity is targeting Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN routers, with an increase in opportunistic probes targeting vulnerable devices since Friday.

According to honeypot data from Bad Packets Report, cybercriminals are targeting a pair of recently patched vulnerabilities that allow remote unauthenticated information disclosure and remote code execution on routers. The firm discovered that more than 9,000 routers are vulnerable to attack.

The first flaw exists in the web-based management interface for RV320/RV325; a simple GET request for /cgi-bin/config.exp returns complete configuration settings for the device, including administrator credentials (the password is hashed though).

This could allow an unauthenticated, remote attacker to obtain sensitive configuration information, researcher Troy Mursch explained in a weekend advisory. This vulnerability exposes all router configuration information for the RV320/RV25 models.

Bad Packets Report’s BinaryEdge scans of 15,309 unique IPv4 hosts revealed that 9,657 Cisco RV320/RV25 routers are vulnerable to CVE-2019-1653: Remote code execution. It breaks down to 6,247 vulnerable Cisco RV320 routers out of 9,852 scanned, and 3,410 vulnerable Cisco RV325 routers out of 5,457 scanned.

Mursch stated that the majority of these are located in the United States, but that vulnerable device were discovered in 122 countries and on the networks of 1,619 different ISPs, creating a significant global attack surface.

After logging in with administrative credentials, an attacker can further exploit the router. The CVE-2019-1652 flaw allows an authenticated, remote attacker with administrative privileges to execute arbitrary commands on a vulnerable device. The vulnerability is caused by improper input validation from the user.

According to Cisco’s documentation, “an attacker could exploit this vulnerability by sending malicious HTTP POST requests to the web-based management interface of a vulnerable device.” “A successful exploit could permit an attacker to execute arbitrary commands as root on the underlying Linux shell.”

David Davidson, a researcher and grey hat, described a proof-of-concept for remote code execution, but Mursch noted that there are mitigating circumstances.

“It is currently unknown how compromised routers will be exploited,” he explained to us. “At this time, I can only confirm that threat actors are scraping leaked configuration files and credentials to compile an inventory of vulnerable devices. Due to the capabilities (or lack thereof) identified by David Davidson, the actual amount of damage may be restricted. Time alone will tell”

Davidson’s tweet provided clarification:

Essentially, anyone without a patch is probably doomed. except for the fact that ‘wget’ on these machines is broken half the time and it’s probably beyond the ability of the average schmuck to cross-compile their mirai bot for the proper mips64rev2 shite (for now)

— an individual (@info dox) on January 26, 2019

Notably, the SSID is also disclosed as a result of the vulnerability.

“This allows attackers to determine the physical location of the router using services such as WiGLE,” Mursch told us.

Mursch noted that this was also the case with the recent Orange Livebox vulnerability. This means that an attacker can conduct a variety of on-site proximity attacks, and it also facilitates the creation of botnets, as many administrators use the same credentials for the administrative panel and the WiFi network — allowing for the enslavement of more devices.

The flaws affect Cisco RV320/RV325 routers with firmware versions and Administrators should immediately apply Cisco’s patch and change the admin and WiFi credentials for their devices to prevent any potential compromises.

Why Trust Us?

Best Top Reviews Online was established in 2018 to provide our readers with detailed, truthful, and impartial advice on what to buy. We now have millions of monthly users from all over the world and annually evaluate over a thousand products.

The above article was written by the BestTopReviewsOnline team, which consists of some of the most knowledgeable technical experts in the United States. Our team consists of highly regarded writers with vast experience in smartphones, computer components, technology apps, security, and photography, among other fields.

Related Stories

  • All Post
  • Best Picks
  • Explainers
  • How To
  • News
  • Versus
Ransomware Attacks Are Growing

August 26, 2022

Lockbit is by far the most prolific ransomware group this summer, followed by two Conti offshoots. Following a recent decline, ransomware attacks are once again on the rise. According to data released by NCC Group, old ransomware-as-a-service (RaaS) groups are…

Get more info



Best Products

Buying Guides

Contact Us

About Us

We provide a platform for our customers to rate and review services and products, as well as the stores that sell them. We research and compare the most popular brands and models before narrowing it down to the top ten, providing you with the most comprehensive and reliable buying advice to help you make your decision.

Disclaimer is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to As an Amazon Associate I earn from qualifying purchases.


Address & Map

20 S Santa Cruz Ave, Suite 300, Los Gatos, CA 95030, United States

© 2022 Pty. Ltd. All Rights Reserved. Licensing: All third-party trademarks, images, and copyrights used on this page are for comparative advertising, criticism, or review. As this is a public forum where users can express their opinions on specific products and businesses, the opinions expressed do not reflect those of