Cisco won’t fix authentication bypass zero-day in EoL routers


Cisco says that a new authentication bypass flaw affecting multiple small business VPN routers will not be patched because the devices have reached end-of-life (EoL).

This zero-day bug (CVE-2022-20923) is caused by a faulty password validation algorithm that attackers could exploit to log into the VPN on vulnerable devices using what the company describes as “crafted credentials” if the IPSec VPN Server feature is enabled.

“A successful exploit could allow the attacker to bypass authentication and access the IPSec VPN network,” Cisco explained in a security advisory issued on Wednesday.

Read more…
Source:  Bleeping Computer