Virtual Event Now Live: Zero Trust Strategies Summit! - Login for Access
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Cisco Warns of Critical Vulnerability in EoL Phone Adapters

Cisco warns of a critical-severity RCE vulnerability impacting EoL SPA112 2-Port Phone Adapters.

Cisco this week raised the alarm on a critical remote code execution (RCE) vulnerability impacting SPA112 2-Port phone adapters, which have reached end-of-life (EoL) status.

Tracked as CVE-2023-20126 (CVSS score of 9.8), the flaw impacts the web-based management interface of the phone adapters and can be exploited without authentication.

The issue, Cisco explains in its advisory, exists because of “a missing authentication process within the firmware upgrade function”.

To exploit the bug, a remote attacker needs to upgrade a device to a crafted firmware version, which would allow them to execute arbitrary code with full privileges.

Given that the SPA112 2-Port phone adapters are no longer supported (they reached EoL on June 1, 2020), Cisco does not plan to release firmware updates to address the vulnerability.

Instead, the tech giant recommends that customers migrate to an ATA 190 Series analog telephone adapter.

Cisco says it is not aware of the vulnerability being exploited in malicious attacks. However, unpatched, vulnerable Cisco devices are known to have been exploited in the wild and organizations should consider eliminating the SPA112 2-Port phone adapters from their environments as soon as possible.

Related: Cisco Working on Patch for Vulnerability Reported by NATO Pentester

Advertisement. Scroll to continue reading.

Related: Cisco Patches Critical Vulnerabilities in Industrial Network Director, Modeling Labs

Related: US, UK: Russia Exploiting Old Vulnerability to Hack Cisco Routers

Related: Cisco Patches Code and Command Execution Vulnerabilities in Several Products

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Nupur Goyal has joined cloud identity security and management solutions provider Saviynt as VP of Product Marketing.

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.