Cisco released a slew of software patches to fix bugs in its IOS XE operating system, but said two small business routers are still vulnerable to attacks.
In all, Cisco issued 25 security alerts on Wednesday and Thursday. It rated 19 high severity and six medium.
As of Thursday morning, Cisco didn’t have fixes for a bug in two small business routers: RV320 and RV325. The company first issued patches for this vulnerability in January, but “he initial fix for this vulnerability was found to be incomplete,” the new security advisory said. “Cisco is currently working on a complete fix.”
“We are working on a complete fix with the highest priority and thank our customers and our partners for their patience during the resolution of this issue,” a Cisco spokesperson said via email in response to questions. “Please refer to the security advisories for the latest information.”
The vulnerability affects Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers running Firmware Releases 184.108.40.206 and later.
The advisory also said there are no workarounds or firmware updates that address this bug, which could allow a remote attacker to execute arbitrary commands on the underlying Linux shell as root.
It attributes the flaw to improper validation of user-supplied input. “An attacker could exploit this vulnerability by sending malicious HTTP POST requests to the web-based management interface of an affected device,” the advisory said.
Cisco issued software updates to fix all of the other vulnerabilities detailed in the other security advisories.