Cisco will not repair major vulnerability in routers

 Exploiting the issue allows a remote, unauthorized attacker to execute arbitrary code.

In Cisco Small Business Routers, when the devices approach the end of the lives (EOL) of 2019, Cisco will not fix a critical vulnerability(CVE-2021-34730).

In the Universal Plug-and-Play (UPnP) router service the issue of 9.8 out of the maximum 10 is the CVSS scale. Its use enables an unauthorised remote attacker to run arbitrary code or force a device to restart, resulting in a Denial of Service (DoS) condition.

It may be abused by delivering a specifically designed UPnP application for a susceptible device due to an improper scanning of UPnP traffic input. This executes code on the underlying operating system remotely as a superuser.

"Cisco has no software upgrades to address the issue and will not update them. The routers Cisco Small Business RV110W, RV130W and RV215W are up and running. The experts advised customers to upgrade to RV132W, RV160 or RV160W Cisco Small Business routers.

Cisco suggests that users deactivate UPnP over the LAN interface in the absentia of the patch.