New Exploit Threatens Over 9,000 Hackable Cisco RV320/RV325 Routers Worldwide

If the connectivity and security of your organization rely on Cisco RV320 or RV325 Dual Gigabit WAN VPN routers, then you need to immediately install the latest firmware update released by the vendor last week.

Cyber attackers have actively been exploiting two newly patched high-severity router vulnerabilities in the wild after a security researcher released their proof-of-concept exploit code on the Internet last weekend.

The vulnerabilities in question are a command injection flaw (assigned CVE-2019-1652) and an information disclosure flaw (assigned CVE-2019-1653), a combination of which could allow a remote attacker to take full control of an affected Cisco router.

The first issue exists in RV320 and RV325 dual gigabit WAN VPN routers running firmware versions through, and the second affects firmware versions and, according to the Cisco’s advisory.

Both the vulnerabilities, discovered and responsibly reported to the company by German security firm RedTeam Pentesting, actually resides in the web-based management interface used for the routers and are remotely exploitable.

  • CVE-2019-1652—The flaw allows an authenticated, remote attacker with administrative privileges on an affected device to execute arbitrary commands on the system.
  • CVE-2019-1653—This flaw doesn’t require any authentication to reach the router’s web-based management portal, allowing attackers to retrieve sensitive information including the router’s configuration file containing MD5 hashed credentials and diagnostic information.

The PoC exploit code targeting Cisco RV320/RV325 routers published on the Internet first exploits CVE-2019-1653 to retrieve the configuration file from the router to obtain its hashed credentials and then exploits CVE-2019-1652 to execute arbitrary commands and gain complete control of the affected device.

Researchers from cybersecurity firm Bad Packets said they found at least 9,657 Cisco routers (6,247 RV320 and 3,410 RV325) worldwide that are vulnerable to the information disclosure vulnerability, most of which located in the United States.

The firm shared an interactive map, showing all vulnerable RV320/RV325 Cisco routers in 122 countries and on the network of 1,619 unique internet service providers.

Bad Packets said its honeypots detected opportunistic scanning activity for vulnerable routers from multiple hosts from Saturday, suggesting the hackers are actively trying to exploit the flaws to take full control of the vulnerable routers.

The best way to protect yourself from becoming the target of one such attack is to install the latest Cisco RV320 and RV325 Firmware release as soon as possible.

Administrators who have not yet applied the firmware update are highly recommended to change their router’s admin and WiFi credentials considering themselves already compromised.

Cisco targets mobile enterprise apps with geolocation technology

Cisco’s cloud-based DNA Spaces includes Cisco’s Connected Mobile Experience (CMX) and enterprise geolocation technology that it purchased from July Systems.

Cisco is rolling out a cloud-based geolocation package it expects will help customers grow mobile location services and integrate data from those services into enterprise analytics and business applications.

The package, called DNA Spaces, is comprised of Cisco’s Connected Mobile Experience (CMX) wireless suite and enterprise geolocation technology purchased from July Systems. Cisco CMX is a software engine that uses location and other intelligence gleaned from Cisco wireless infrastructure to generate analytics data and help deliver services to customers on their mobile devices.

Cisco bought July last June for an undisclosed price. July provides businesses with deep and accurate analytics about who and what are in their physical locations along with the ability to act on those insights in real-time, Cisco said.

July Systems, founded in 2001, features its flagship enterprise-grade location platform, Proximity MX, which includes instant customer activation, data-driven behavioral insights, a contextual rules engine and APIs.

The platform works with multiple location technologies such as Wi-Fi, Bluetooth Beacons or GPS to sense the user’s device with or without an app installed. Proximity MX can engage the user with SMS, E-mail or push notifications or trigger a notification to the business user or system via API, SMS or E-mail, July says.

With DNA Spaces customers will be able to see not just which spaces like department stores, waiting rooms, cafeterias are being used and when, but also where people come from to get to those rooms, how long they stay in them, what data resources they use and where they go after they leave, said Greg Dorai, vice president of product management with Cisco Enterprise Wireless Solutions.

“Applying analytics to that data and patterns, a hospital can make data-informed improvements, such as locating medical equipment and other assets or triggering alerts if equipment moves to a location for which it’s not designated,” Dorai said.

“The overarching idea is to give customers an at-scale system they can use to identify and recognize data patterns, tie in location information and analytics and use it in enterprise systems like CRM,” said Dorai.

DNA Spaces could also will help network managers because they will be able to identify areas where wireless service is weak and direct them to improved access-point deployments.

Security-wise, customers can look at analytics results and potentially spot unusual patterns of movement among wireless devices that could indicate physical beaches, Cisco said.

DNA Spaces includes a captive portal to engage visitors and open API access that will let third parties use Cisco DNA Spaces to build new business applications, as well as deeper operational insights, such as environmental sensor data integration and anomaly detection for IoT devices, Cisco said.

The opportunity Cisco sees is in large part built on the fact that the company says it has 25 million wireless access points (including its Meraki and Aironet access devices) in the field that can be connected to Cisco DNA Spaces.

In addition, an on-premises DNA Spaces without July integration has been available since last year, and is already live in over 21,000 locations.

All existing Cisco wireless customers can start a 90-day free trial of DNA Spaces now.

The monster growth in mobile communications is another area Cisco is looking to exploit with DNA Spaces. For example in its most recent Visual Networking Index (VNI) Cisco said that globally, there will be nearly 549 million public Wi-Fi hotspots by 2022, up from 124 million hotspots in 2017, a fourfold increase.

“Hotels, cafes, and restaurants will have the highest number of hotspots by 2022 globally, and the fastest growth is in healthcare facilities (hospitals), where hotspots will triple over the forecast period. The primary objective of Wi-Fi in hospitals is to improve the delivery of healthcare services and staff productivity, with a secondary benefit being Internet access for patients, their families, and their guests,” Cisco stated.

Gartner says Cisco is among largest players in the location-services arena which includes AiRista, Aruba (HPE), Mist and others.

“Cisco’s CMX location engine can manage, monitor, detect and analyze standard signal strength and antenna-enhanced signals from Wi-Fi and BLE devices. Physical beacons are discovered, identified and can be configured and located by the CMX location engine,” Gartner said in a recent indoor location services report.

“Cisco Wi-Fi location solutions deliver a broad range of location accuracy based on customers’ needs, from presence (15 meters to 20 meters), FastLocate (five meters to seven meters) to Hyperlocation (one meter to three meters),” Gartner stated.