Multiple factors could mitigate exploits of this vulnerability. First, an attacker must have access to the Web Administration Console via the WAN port of the device. An exploit can be performed if this feature has been enabled and the attacker can successfully authenticate. However, because the affected device is typically deployed in a Small Office/Home Office (SOHO) environment, the requirement for enabling management via the WAN port is unlikely. The feature is disabled by default.
Discounting the previous factor, an attacker can exploit this vulnerability remotely by convincing a user to visit a malicious web page while he or she is authenticated to the affected device. An attacker can exploit this vulnerability remotely without pre-authentication by knowing the authentication credentials of the device. This scenario may present itself if the default authentication credentials of the device have not been changed. It is strongly recommended that administrators always change default authentication credentials.
It should also be noted that there is not much privilege separation between the Administrator and the root user. If an attacker is able to gain Administrator privileges to the device, compromising actions can be made against the device. An attacker does not necessarily need root access to exploit the device.
Cisco indicates the software updates did not completely correct the vulnerability. Additional updates are forthcoming. Administrators are advised to put into place other effective mitigations until complete fixes are available.