A vulnerability in the Universal Plug-and-Play (UPnP) service of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an unauthenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly, resulting in a denial of service (DoS) condition.

This vulnerability is due to improper validation of incoming UPnP traffic. An attacker could exploit this vulnerability by sending a crafted UPnP request to an affected device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system or cause the device to reload, resulting in a DoS condition.

This vulnerability affects the following Cisco Small Business RV Series Routers if they have UPnP configured:

  • RV110W Wireless-N VPN Firewalls
  • RV130 VPN Routers
  • RV130W Wireless-N Multifunction VPN Routers
  • RV215W Wireless-N VPN Routers

Cisco has not and will not release software updates to address this vulnerability, as "there are no workarounds that address this vulnerability," Cisco says. However, administrators may disable the affected feature. 

"The new UPnP vulnerabilities found in the Cisco Small Business line of routers should be taken seriously by network security teams. Exposure should be identified and prioritized based on contextualized business risk," says Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation. "Based on this measure of risk, steps to mitigate the threat should be taken to protect the business."

Zach Varnell, Senior AppSec Consultant at nVisium, a Falls Church, Virginia-based application security provider, explains, "These are very popular Cisco devices, and it's extremely common for said devices to rarely — or never — receive updates. Users tend to want to leave well enough alone and not touch a device that's been working well — including when it needs important updates. Many times, users also take advantage of plug-and-play functionality, so they do very little or zero configuration changes, leaving the device at its default status and ultimately vulnerable."