Security News > 2023 > May > Critical RCE vulnerability in Cisco phone adapters, no update available (CVE-2023-20126)

Cisco has revealed the existence of a critical vulnerability in the web-based management interface of Cisco SPA112 2-Port Phone Adapters.

"This vulnerability is due to a missing authentication process within the firmware upgrade function. An attacker could exploit this vulnerability by upgrading an affected device to a crafted version of firmware," Cisco's security advisory explains.

The vulnerability has been reported privately and there are no indications that it has been exploited in the wild.

The vulnerable adapter is no longer supported, meaning that Cisco will not be releasing firmware updates to fix this vulnerability.

With no fixes and workarounds available, Cisco is urging customers to migrate to a newer device.

In the security advisory, says users should migrate to a Cisco ATA 190 Series Analog Telephone Adapter, but the EOL document for the Cisco SPA112 2-Port Phone Adapter points to the Cisco ATA 191 Series Analog Telephone Adapter as a fitting replacement.

News URL

https://www.helpnetsecurity.com/2023/05/05/cve-2023-20126/