Cisco says that a new authentication bypass flaw affecting multiple small business VPN routers will not be patched because the devices have reached end-of-life (EoL).
This zero-day bug (CVE-2022-20923) is caused by a faulty password validation algorithm that attackers could exploit to log into the VPN on vulnerable devices using what the company describes as “crafted credentials” if the IPSec VPN Server feature is enabled.
“A successful exploit could allow the attacker to bypass authentication and access the IPSec VPN network,” Cisco explained in a security advisory issued on Wednesday.
“The attacker may obtain privileges that are the same level as an administrative user, depending on the crafted credentials that are used.”
To determine if the IPSec VPN Server is enabled on a router, you have to log in to the web-based management interface and go to VPN > IPSec VPN Server >…