"Cisco Warns of Many Old Vulnerabilities Being Exploited in Attacks"

Cisco has recently updated multiple security advisories to warn of the malicious exploitation of severe vulnerabilities impacting its networking devices.  Many of the bugs, which carry severity ratings of "critical" or "high," have been addressed 4-5 years ago, but organizations that haven't patched their devices continue to be impacted.  Last week, Cisco added exploitation warnings to more than 20 advisories detailing security defects in Cisco IOS, NX-OS, and HyperFlex software.  Five of the updated advisories resolve critical-severity vulnerabilities that could allow remote attackers to execute arbitrary code (RCE), cause a denial-of-service (DoS) condition, or execute arbitrary commands.  Carrying a CVSS score of 9.8, the exploited vulnerabilities are tracked as CVE-2017-12240, CVE-2018-0171, CVE-2018-0125, CVE-2021-1497, and CVE-2018-0147, and impact Cisco IOS and IOS XE, the RV132W and RV134W routers, HyperFlex HX, and Secure Access Control System (ACS).  Cisco also updated 15 advisories that deal with high-severity flaws in Cisco IOS and IOS XE and one that addresses a high-severity arbitrary command execution issue in Small Business RV series routers.  Cisco also updated several advisories detailing medium-severity bugs.  The US Cybersecurity and Infrastructure Security Agency (CISA) added these vulnerabilities to its Known Exploited Vulnerabilities Catalog months ago, but there does not appear to be any information regarding the attacks exploiting many of these flaws.  Organizations are advised to review the advisories and apply necessary patches as soon as possible.

SecurityWeek reports: "Cisco Warns of Many Old Vulnerabilities Being Exploited in Attacks"