Security News > 2023 > March > Critical Flaw in Cisco IP Phone Series Exposes Users to Command Injection Attack
Cisco on Wednesday rolled out security updates to address a critical flaw impacting its IP Phone 6800, 7800, 7900, and 8800 Series products.
The vulnerability, tracked as CVE-2023-20078, is rated 9.8 out of 10 on the CVSS scoring system and is described as a command injection bug in the web-based management interface arising due to insufficient validation of user-supplied input.
"An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface," Cisco said in an alert published on March 1, 2023.
Also patched by the company is a high-severity denial-of-service vulnerability affecting the same set of devices, as well as the Cisco Unified IP Conference Phone 8831 and Unified IP Phone 7900 Series.
While Cisco has released Cisco Multiplatform Firmware version 11.3.7SR1 to resolve CVE-2023-20078, the company said it does not plan to fix CVE-2023-20079, as both the Unified IP Conference Phone models have entered end-of-life.
The advisory comes as Aruba Networks, a subsidiary of Hewlett Packard Enterprise, released an update to ArubaOS to remediate multiple unauthenticated command injection and stack-based buffer overflow flaws that could result in code execution.
News URL
https://thehackernews.com/2023/03/critical-flaw-in-cisco-ip-phone-series.html
Related news
- CISA warns of critical Oracle, Mitel flaws exploited in attacks (source)
- Hackers exploit critical Aviatrix Controller RCE flaw in attacks (source)
- Critical SimpleHelp Flaws Allow File Theft, Privilege Escalation, and RCE Attacks (source)
- Cisco Fixes Critical Privilege Escalation Flaw in Meeting Management (CVSS 9.9) (source)
- Cisco fixes ClamAV vulnerability with available PoC and critical Meeting Management flaw (source)
- Patch now: Cisco fixes critical 9.9-rated, make-me-admin bug in Meeting Management (source)
- New SLAP & FLOP Attacks Expose Apple M-Series Chips to Speculative Execution Exploits (source)
- Zyxel CPE devices under attack via critical vulnerability without a patch (CVE-2024-40891) (source)
- New Aquabot Botnet Exploits CVE-2024-41710 in Mitel Phones for DDoS Attacks (source)
- Cisco Patches Critical ISE Vulnerabilities Enabling Root CmdExec and PrivEsc (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-03-03 | CVE-2023-20079 | Out-of-bounds Write vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of certain Cisco IP Phones could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition. | 7.5 |
| 2023-03-03 | CVE-2023-20078 | Out-of-bounds Write vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of certain Cisco IP Phones could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition. | 9.8 |