Cisco has announced there will be no patch released for a critical security vulnerability discovered in their Small Business line of routers, as the affected devices reached their end of life in 2019. The critical issue, CVE-2021-34730, affects the Universal Plug-and-Play (UPnP) service and could allow unauthenticated attackers execute commands on the router or cause a denial of service through forced reboots.
Five other medium-severity issues disclosed simultaneously may still be patched if they are found to affect supported Cisco products.
Affected Devices
Cisco Small Business Routers models RV110W, RV130, RV130W and RV215W are vulnerable to the critical-severity issue CVE-2021-34730, which will not receive a patch.
Mitigation
This particular issue can be mitigated by deactivating UPnP on the device’s LAN and WAN interfaces.
UPnP is enabled by default on these devices. To disable the service, navigate to Basic Settings -> UPnP in the web administration interface and select the option to disable UPnP. Note that this does not fix or patch the issue and use of end-of-life hardware should be discontinued in favor of supported devices.
Next Steps
Ensure your business’ footprint leaves as little space as possible for attackers to target. To receive a tailored report containing actionable guidance on increasing your security posture, request a free, no-obligation attack surface audit now.