Cisco Releases Security Updates to Address Critical Flaw
March 2, 2023
Cisco released security updates to address a critical flaw impacting its IP Phone 6800, 7800, 7900, and 8800 Series products. The flaw, tracked as CVE-2023-20078, is a command injection issue that resides in the web-based management interface. An unauthenticated, remote attacker can exploit the vulnerability to execute arbitrary commands with the highest privileges on the underlying operating system.
Cisco also addressed a high-severity denial-of-service (DoS) vulnerability, tracked as CVE-2023-20079, impacting the same IP Phone series products. The root cause of the vulnerability is the insufficient validation of user-supplied input in the web-based management interface. To fix CVE-2023-20078, Cisco recommends migrating Cisco Multiplatform Firmware version earlier than 11.3.7SR1 to a fixed release.
The company will not release updates to fix CVE-2023-20079 in Unified IP Conference Phone models because they entered end-of-life (EoL). As stated by Cisco, “Cisco has not released and will not release software updates to address the vulnerabilities that are described in CVE-2023-20079. Cisco Unified IP Phone 7900 Series and Cisco Unified IP Conference Phone 8831 have entered the end-of-life process. Customers are advised to refer to the end-of-life notices for these products.”
The good news is that the Cisco PSIRT is not aware of any malicious exploitation attempts targeting the vulnerabilities. As stated by Cisco, “A vulnerability in the web-based management interface of Cisco IP Phone 6800, 7800, and 8800 Series Multiplatform Phones could allow an unauthenticated, remote attacker to inject arbitrary commands that are executed with root privileges.”
Related News
Latest News
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.