Critical Vulnerability in Cisco IP Phones

Published on 02 Mar 2023

Cisco has released software updates to address a critical vulnerability (CVE-2023-20078) in the web-based management interface of certain Cisco IP Phones.

The vulnerability is due to insufficient validation of user-supplied input, allowing an attacker to send a crafted request to the web-based management interface.

Successful exploitation of this vulnerability could allow a remote and unauthenticated attacker to execute arbitrary commands on the underlying operating system of an affected device with root privileges.

The vulnerability affects the following Cisco products running a vulnerable release (versions prior to 11.3.7SR1) of Cisco Multiplatform Firmware:

  • IP Phone 6800 Series
  • IP Phone 7800 Series
  • IP Phone 8800 Series


Users and administrators of affected product versions are advised to upgrade to the latest versions immediately.

More information is available here:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ip-phone-cmd-inj-KMFynVcP

Tags
Alerts Alerts & Advisories
Share