Nothing new with these Cisco Small Business Switches. A researcher, Jasper Adriaanse has identified several vulnerabilities, including ones that have been rated high severity, in Cisco’s Small Business 220 series smart switches.
These vulnerabilities were discovered to impact switches that run firmware versions earlier than 22.214.171.124 and have the web-based management interface enabled which the interface is enabled by default. In an advisory released a few days ago, Cisco said Jasper Adriaanse found a few types of security holes in the small business switches.
One of them, tracked as CVE-2021-1542 and rated high severity, can be exploited by a remote, unauthenticated attacker to hijack a user’s session and gain access to the switch’s web interface. Depending on the privileges of the targeted user, the attacker could gain admin-level access to the management interface.
Another high-severity issue is CVE-2021-1541, which allows a remote attacker with admin permissions on the device to execute arbitrary commands with root privileges on the underlying operating system.
The other two flaws found by the researcher, both classified as medium severity by Cisco, could allow a remote, unauthenticated attacker to launch XSS attacks (CVE-2021-1543) or HTML injection attacks (CVE-2021-1571).