The vulnerabilities, which affect the Cisco Small Business RV160, RV260, RV340, and RV345 series VPN routers could allow an attacker to execute arbitrary code, elevate privileges, bypass authentication and authorization protections, install and run unsigned software and cause denial of service.
There are no workarounds that address these vulnerabilities, Cisco said, but software updates have already been released.
That doesn't mean that companies will immediately install updates. Cybercriminals have found massive success exploiting vulnerabilities just like this, months or years after they'd been disclosed and patches released, said Satnam Narang, senior research engineer at Tenable Network Security.
"Many organizations are not patching systems in a timely manner," he told Data Center Knowledge. "We expect that, once public proof of concept code becomes available, attackers will begin rolling it into their playbooks and probing for vulnerable devices."
These types of vulnerabilities are often used by nation-state actors and ransomware groups, he added, "so the worst case could vary between cyber espionage and cyber extortion."
What makes these particular vulnerabilities especially worrisome today is they involve a critical flaw in Cisco's SSL VPN gateway.
With employees working from home during the pandemic, SSL VPN usage has increased, Narang said.
"SSL VPNs are a favored attack vector for cybercriminals, as they recognize that organizations need to ensure access to internal resources for remote employees," he said.
Tenable highlighted SSL VPN vulnerabilities as among those that mattered most in 2021 in its annual Threat Landscape Retrospective report released last month.
Tenable conducted a Shodan search last week that found more than 8,400 of the affected Cisco routers exposed on the Internet.
The company predicted that VPN vulnerabilities will continue wreaking havoc in 2022.
According to Cisco, proof-of-concept exploit code is already available for several of the vulnerabilities disclosed.
Impact goes beyond SMBs
It would be surprising to see these particular routers in larger organizations and data centers, said Matthew Warner, CTO and co-founder at Blumira, a cybersecurity firm. But that doesn't mean that they won't be affected at all.
"It is a common attack mechanism for threat actors to target MSPs or other SMBs that have broad access into a number of other bigger organizations for their access alone," he said.
For example, in 2013, a high-profile hack of Target started out with the company's HVAC vendor.
Smaller companies often connect to enterprise partners via VPN tunnels, and if those connections aren't properly secured, they could become a point of entry into the larger enterprise networks.
"SMBs aren’t safe just because they’re small," said Mike Parkin, engineer at Vulcan Cyber, a cybersecurity firm. "If these vulnerabilities are exploited in the wild, small organizations could face a series of attacks that they may lack the resources to fix."