Security News > 2023 > March > Cisco patches critical Web UI RCE flaw in multiple IP phones
Cisco has addressed a critical security vulnerability found in the Web UI of multiple IP Phone models that unauthenticated and remote attackers can exploit in remote code execution attacks.
The security vulnerabilities were discovered by Zack Sanchez of the Cisco Advanced Security Initiatives Group during internal security testing.
While Cisco released security updates to address the CVE-2023-20078 RCE vulnerability, the company said it would not release patches to fix the CVE-2023-20079 DoS flaw.
"Cisco Unified IP Phone 7900 Series and Cisco Unified IP Conference Phone 8831 have entered the end-of-life process," the company explained.
Cisco also announced in December that it would release patches for a high-severity zero-day vulnerability with public exploit code found in the Cisco Discovery Protocol processing feature of Cisco IP Phones running 7800 and 8800 Series firmware.
In February 2020, Cisco patched five other RCE and DoS vulnerabilities in the Cisco Discovery Protocol, collectively known as CDPwn and potentially affecting tens of millions of enterprise devices.
News URL
Related news
- Synology Urges Patch for Critical Zero-Click RCE Flaw Affecting Millions of NAS Devices (source)
- Cisco Releases Patch for Critical URWB Vulnerability in Industrial Wireless Systems (source)
- Critical vulnerability in Cisco industrial wireless access points fixed (CVE-2024-20418) (source)
- Cisco scores a perfect CVSS 10 with critical flaw in its wireless system (source)
- HPE warns of critical RCE flaws in Aruba Networking access points (source)
- Critical Veeam RCE bug now used in Frag ransomware attacks (source)
- Palo Alto Networks warns of critical RCE zero-day exploited in attacks (source)
- Critical RCE bug in VMware vCenter Server now exploited in attacks (source)
- Critical 9.8-rated VMware vCenter RCE bug exploited after patch fumble (source)
- Veeam warns of critical RCE bug in Service Provider Console (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-03-03 | CVE-2023-20079 | Out-of-bounds Write vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of certain Cisco IP Phones could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition. | 7.5 |
2023-03-03 | CVE-2023-20078 | Out-of-bounds Write vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of certain Cisco IP Phones could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition. | 9.8 |