Cisco Wednesday disclosed four vulnerabilities – one critical – in the web-based management interfaces of three products, including a firewall and two wireless routers (models RV110W, RV130W and RV215W).
The critical issue is an arbitrary code execution vulnerability resulting from insufficient sanitization of HTTP user-supplied input. Consequently, an unauthenticated attacker could send crafted HTTP requests to targeted systems in order to remotely execute code with root-level privileges. There are no workarounds or patches for the flaw at this time, though Cisco confirmed to SCMagazine.com that "a fix is under development and will be released in the near future." Disabling remote management capabilities also reduces the likelihood that this vulnerability can be exploited.
Cisco's three other advisories pertain to a cross-scripting vulnerability and two HTTP request buffer overflow vulnerabilities. The company said it plans to release firmware updates addressing these flaws in Q3 2016.