Three major vulnerabilities found in Cisco SMB switches

Cisco Logo
(Image credit: Shutterstock)

Three of Cisco's most popular switches for SMBs contain serious security flaws that could allow a hacker to remotely access the device and infiltrate an organisation's network.

The critical vulnerabilities, which affect Cisco's Small Business 220 Series of smart switches, include a remote code execution (RCE) bug rated 9.8/10 by Cisco in terms of threat severity, an authentication bypass rated 9.1/10 and a command injection rated 7.2/10 .

The two most severe bugs the authentication bypass and command injection can be exploited by a hacker over the internet without the need for authentication on the device. "Depending on the configuration of the affected switch, the malicious requests must be sent via HTTP or HTTPS," said Cisco in an advisory notice.

The RCE bug allows attackers to execute malicious code with root privileges on the underlying operating system, meaning they can take over the device via an HTTP or HTTPS request on any internet-facing 220 Series switch.

A patch has been issued for each of the three vulnerabilities, but the updates aren't delivered automatically so the onus is on the customer to keep their business safe.

These vulnerabilities mark a continuation of an increasingly dire year for Cisco in terms of security. A wealth of issues have plagued its equipment which prompted many questions from customers at this year's Cisco Live US conference.

Most significant of these issues was Thrangrycat, a pair of interoperating vulnerabilities that affected most Cisco enterprise routers, giving attackers the opportunitys to block updates to a core security module, which could potentially lead to an entire network's compromise.

Experts said at the time that Thrangrycat was "virtually unpatchable" and likened the weakness to a bank leaving its vault doors wide open. When asked about what the company was doing to address the problem, experts at Cisco's Talos team seemed to evade the crux of the question.

Most recently, the company settled a lawsuit accusing it of knowingly selling faulty equipment to the US government and military for $8.6 million.

Earlier this year, the company came under fire again for failing to patch two critical vulnerabilities in its SMB routers after being notified months earlier.

Connor Jones
News and Analysis Editor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.