Networking equipment vendor Cisco said yesterday it was not going to release firmware updates to fix 74 vulnerabilities that had been reported in its line of RV routers, which had reached end-of-life (EOL).
Affected devices include Cisco Small Business RV110W, RV130, RV130W, and RV215W systems, which can be used as both routers, firewalls, and VPNs.
All four reached EOL in 2017 and 2018 and have also recently exited their last maintenance window as part of paid support contracts on December 1, 2020.
In three security advisories posted yesterday [1, 2, 3], Cisco said that since December, it received bug reports for vulnerabilities ranging from simple denial of service issues that crashed devices to security flaws that could to used to gain access to root accounts and hijack routers.
In total, the device maker said it received 74 bug reports but that it wouldn’t be releasing any software patches, mitigations, or workarounds as the devices had long reached EOL years before.
Instead, the company advised that customers move operations to newer devices, such as the RV132W, RV160, or RV160W models, which provide the same features and which are still being actively supported.
Some of the company’s customers might not like the company’s decision, but the good news is that none of the bugs disclosed today can be exploited easily.
Cisco said that all the vulnerabilities require that an attacker have credentials for the device, which reduces the risk of having a network attacked in the coming weeks or months, giving administrators a chance to plan and prepare a migration plan to newer gear, or at least deploy their own countermeasures, otherwise.
The CVE identifiers of the bugs Cisco declined to patch in its EOL routers are listed below: