Cisco Warns of Unpatched Vulnerability (CVE-2024-20416) in RV340 and RV345 Routers

by do son · July 19, 2024

Cisco has issued a security advisory warning users of a vulnerability in their RV340 and RV345 Dual WAN Gigabit VPN routers. The vulnerability, identified as CVE-2024-20416, could allow an authenticated attacker to remotely execute arbitrary code on affected devices.

CVE-2024-20416 has a CVSS score of 6.5, indicating a medium severity level. This vulnerability stems from insufficient boundary checks when processing specific HTTP requests, potentially granting attackers extensive control over the router’s underlying operating system. Despite the severity of the flaw, Cisco has announced it will not release software updates to address it, as the affected router models have reached end-of-life status.

The following Cisco products are impacted by this vulnerability if they are running Cisco Small Business Router Firmware Release 1.0.03.24 or later:

RV340 Dual WAN Gigabit VPN Routers
RV340W Dual WAN Gigabit Wireless-AC VPN Routers
RV345 Dual WAN Gigabit VPN Routers
RV345P Dual WAN Gigabit PoE VPN Routers

Cisco has confirmed that there are no workarounds to mitigate this vulnerability. While Cisco PSIRT is not currently aware of any public exploits or malicious use of the vulnerability, the lack of a patch underscores the urgency for users to take action.

Since there is no software fix available, the only recommended course of action is to replace the affected routers with newer, supported models. Cisco emphasizes that continued use of vulnerable routers exposes users to significant security risks.