Cisco has revealed that Cisco SPA112 2-Port Phone Adapters are vulnerable to a serious security flaw. This vulnerability could be exploited by an attacker to execute arbitrary code on the device with full privileges.
The affected phone adapters are widely used in the industry, and while they may not be exposed to the internet, the flaw can be exploited from the local network.
Cisco has designated this flaw, tracked as CVE-2023-20126, with a CVSS score of 9.8, which is considered critical. The vulnerability was caused by a missing authentication process in the firmware upgrade function.
Attackers can exploit this vulnerability by upgrading an affected device to a crafted version of firmware.
Cisco has not provided any mitigations for CVE-2023-20136, and since the Cisco SPA112 has reached the end of its life, it is no longer supported by the vendor and will not receive any security updates. Cisco’s security bulletin advises organizations to replace the impacted phone adapters with the Cisco ATA 190 Series Analog Telephone Adapter, which has a designated end-of-life date on March 31, 2024, or implement additional security layers to protect them from attacks.
Although Cisco is unaware of any active exploitation of CVE-2023-20136, it could change at any time, and this vulnerability could potentially be used in large-scale security incidents. As a result, administrators are advised to take the necessary precautions immediately.
As critical severity flaws on popular devices can be exploited, gaining access to these devices could help a threat actor spread laterally on a network without detection, as security software does not typically monitor these types of devices.