Cisco has patched today three dangerous bugs in one of its most popular products, the Cisco Small Business 220 Series of smart switches.
The three bugs are an authentication bypass (CVE-2019-1912, rated Critical, rating of 9.1 out of 10), a remote code execution (CVE-2019-1913, rated Critical, rating of 9.8 out of 10), and a command injection (CVE-2019-1914, rated Mediu, rating of 7.2 out of 10).
Of the three, the first two are the most dangerous because they can be exploited by remote attackers over the internet without needing to authenticate on the device. This means that any Cisco 220 Series smart switch that is reachable over the internet can be attacked.
In a security advisory published today, Cisco said attackers can leverage the authentication bypass vulnerability to upload files on Cisco 220 switches, either to replace configuration files or plant a reverse shell.
The second bug, and the most dangerous of the three, allows attackers to run malicious code with root privileges, effectively allowing attackers to take over devices with a simple HTTP or HTTPS request aimed at unpatched switches.