Cisco stated that these devices have reached end-of-life (EOL) hence there is no point in fixing the Cisco routers. The deadline regarding software maintenance releases and bug fixes was December 1, 2020. Cisco has released software updates to fix these vulnerabilities and said they are not mindful of threat actor exploits targeting the vulnerabilities.
CVE-2021-1144 recognized as a high severity bug (CVSS score of 8.8) in Connected Mobile Experiences (CMX) is the most valuable flaw which can be exploited by threat actors to alter the passwords for any user account on the system which includes administrator accounts as well. Threat actors can exploit the vulnerability by sending an altered HTTP request to a susceptible device.
CVE-2021-1237 (CVSS score of 7.8) is tracked as another high severity flow, it was detected in the AnyConnect Secure Mobility Client for Windows, influencing the Web Security Agent Components and the endpoint solution’s Network Access Manager. This vulnerability could be exploited by an authenticated and local threat actor for Dynamic Link Library (DLL) installation.
Cisco stated that “an attacker could exploit this vulnerability by inserting a configuration file in a specific path in the system which, in turn, causes a malicious DLL file to be loaded when the application starts. A successful exploit could allow the attacker to execute arbitrary code on the affected machine with SYSTEM ..