Cisco fixes a critical vulnerability in a number of its IP phones

March 1 Cisco has released security updates to address a critical vulnerability affecting its 6800, 7800, 7900, and 8800 series IP phones.

The vulnerability, tracked under the identifier CVE-2023-20078, has a rating of 9.8 out of 10 in the rating system CVSS and is described as “a command injection error in the web management interface that occurs due to insufficient validation of the data entered by the user.” Successful exploitation of this vulnerability could allow an unauthorized remote attacker to execute arbitrary commands with the highest privileges on the underlying operating system.

Cisco also fixed a high-severity DoS vulnerability affecting the same set of devices, as well as the Cisco Unified IP Conference Phone 8831 and Unified IP Phone 7900.

Vulnerability CVE-2023-20079 (CVSS: 7.5), which is also the result of insufficient validation of user-entered data in the web management interface, can also be used by cybercriminals to conduct DoS attacks.

Although Cisco has released multi-platform firmware version 11.3.7SR1 to address CVE-2023-20078, the company has stated that it does not plan to fix CVE-2023-20079 because both models of Unified IP Conferencing Phones are already out of service. expired. Recall that the company often does not want to fix vulnerabilities in old equipment, motivating its customers to purchase new devices.

Reportedly both vulnerabilities were discovered during Cisco internal security testing, and hackers have not had time to use them in real attacks.