Published on 02 Mar 2023
Cisco has released software updates to address a critical vulnerability (CVE-2023-20078) in the web-based management interface of certain Cisco IP Phones.
The vulnerability is due to insufficient validation of user-supplied input, allowing an attacker to send a crafted request to the web-based management interface.
Successful exploitation of this vulnerability could allow a remote and unauthenticated attacker to execute arbitrary commands on the underlying operating system of an affected device with root privileges.
The vulnerability affects the following Cisco products running a vulnerable release (versions prior to 11.3.7SR1) of Cisco Multiplatform Firmware:
Users and administrators of affected product versions are advised to upgrade to the latest versions immediately.
More information is available here: