A vulnerability in Cisco’s Prime Home service being sold to ISPs as a solution to manage subscribers’ home smart devices, allows attackers to control allegedly thousands of households via a remote execution bug.
The vulnerability has been given a CVSS score of 10 and ranked as critical, as attackers can bypass authentication and execute commands with administrator privileges. Consequently, routers and smart homes managed by ISPs that rely on Cisco’s Prime Home service could be remotely controlled by attackers and used to manage all in-home devices.
“An attacker could exploit this vulnerability by sending API commands via HTTP to a particular URL without prior authentication,” reads the Cisco Advisory. “An exploit could allow the attacker to perform any actions in Cisco Prime Home with administrator privileges.”
Having administrator control in Cisco’s Prime Home GUI (Graphical User Interface) is especially dangerous as attackers could take any action over smart home IoT devices. There’s little users can do at this point, as it’s up to ISPs that use Cisco’s Prime Home to install the latest security update to fix the vulnerability.
“The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory,” reads the advisory.
With no workaround currently available – except for the security update – ISPs running v220.127.116.11 and below are encouraged to update the management software as soon as possible. However, versions 5.2 and earlier do not seem to be affected and Cisco is not aware of the vulnerability actively being used in the wild.
With cybercriminals becoming more interested in gaining control over as many IoT devices and use them to take down critical systems in DDoS-type attacks, vulnerabilities like this could enable them to easily access large number of IoT devices and turn them into botnet zombies.