Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Cisco Says PoC Exploits Available for Newly Patched Enterprise Switch Vulnerabilities

Cisco has released patches for critical vulnerabilities in small business switches for which public proof-of-concept (PoC) code exists.

Cisco this week announced patches for critical-severity vulnerabilities in multiple small business switches and warned that proof-of-concept (PoC) code that targets them exists publicly.

Identified in the web-based user interface of the impacted switches, the flaws can be exploited remotely, without authentication, to execute arbitrary code with root privileges.

The root cause of these issues, Cisco notes in an advisory, is the improper validation of requests sent to the web interface. The bugs can be exploited by sending crafted requests through the web-based user interface.

According to Cisco, these vulnerabilities are not dependent on one another, meaning that any of them can be exploited without having to exploit the others.

Tracked as CVE-2023-20159, CVE-2023-20160, CVE-2023-20161, and CVE-2023-20189, the vulnerabilities have a CVSS score of 9.8.

Cisco has released software updates to address all four, along with five other high-severity flaws that can also be exploited by unauthenticated, remote attackers via crafted requests. Four of them could lead to a denial-of-service (DoS) condition, while the fifth allows attackers to read unauthorized information.

The flaws were addressed with the release of firmware version 2.5.9.16 for 250 series smart switches, 350 series managed switches, and 350X and 550X series stackable managed switches, and with firmware version 3.3.0.16 for business 250 series smart switches and business 350 series managed switches.

Advertisement. Scroll to continue reading.

Small business 200 series smart switches, small business 300 series managed switches, and small business 500 series stackable managed switches are also impacted, but Cisco does not plan to update these devices, as they have entered the end-of-life (EoL) process.

The tech giant also notes that PoC code targeting these vulnerabilities is already available, but that it is not aware of malicious attacks targeting them.

This week, Cisco also announced patches for multiple medium-severity bugs in IOS XE ROM Monitor (ROMMON) software, Smart Software Manager (SSM) On-Prem, Identity Services Engine (ISE), DNA Center software, and Business Wireless Access Points (APs).

Additional information on the addressed vulnerabilities can be found on the Cisco security advisories page.

Related: Cisco Warns of Critical Vulnerability in EoL Phone Adapters

Related: Cisco Working on Patch for Vulnerability Reported by NATO Pentester

Related: Cisco Patches Critical Vulnerabilities in Industrial Network Director, Modeling Labs

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.