Critical Security Vulnerability Discovered in Cisco IP Phones

Reading Time: 3 Minutes

Attackers can Exploit the flaw

In a recent announcement, Cisco has acknowledged two high-severity vulnerabilities in its Web UI, found in multiple IP Phone models. According to Cisco, remote attackers can exploit the RCE flaw (CVE-2023-20078) to inject arbitrary commands, which will be executed with root privileges following successful exploitation.

DoS flaw not patched yet

Meanwhile, the second vulnerability (CVE-2023-20079) allows attackers to trigger denial-of-service (DoS) conditions. Both vulnerabilities are the result of insufficient validation of user-supplied input and can be exploited using maliciously crafted requests sent to the targeted device’s web-based management interface.

While Cisco has released security updates to address the CVE-2023-20078 RCE vulnerability, it has stated that it will not release patches to fix the CVE-2023-20079 DoS flaw. It’s important to note that the list of affected devices includes Cisco IP Phone 6800, 7800, and 8800 series devices with Multiplatform Firmware, and the Unified IP Conference Phone 8831, Unified IP Conference Phone 8831 with Multiplatform Firmware, and Unified IP Phone 7900 Series, which are only vulnerable to DoS attacks.

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link