Cisco has issued a warning about a critical remote code execution (RCE) vulnerability, tracked as CVE-2023-20126 with a CVSS score of 9.8, affecting SPA112 2-Port phone adapters that have reached their end-of-life (EoL) status. The vulnerability impacts the web-based management interface of the phone adapters and can be exploited without authentication. According to Cisco's advisory, the problem exists due to “a missing authentication process within the firmware upgrade function.”
A remote attacker can exploit the vulnerability by upgrading a device to a crafted firmware version, which would allow them to execute arbitrary code with full privileges. As the SPA112 2-Port phone adapters are no longer supported (they reached EoL on June 1, 2020), Cisco does not plan to release firmware updates to address the vulnerability. Instead, the company recommends that customers migrate to an ATA 190 Series analog telephone adapter.
Cisco states that it is not aware of the vulnerability being exploited in malicious attacks. However, unpatched and vulnerable Cisco devices have been known to be exploited in the wild. Organizations should consider eliminating the SPA112 2-Port phone adapters from their environments as soon as possible. The article also mentions related vulnerabilities and patches in other Cisco products, as well as instances where Russia was found exploiting an old vulnerability to hack Cisco routers.