Cisco this week raised the alarm on a critical remote code execution (RCE) vulnerability impacting SPA112 2-Port phone adapters, which have reached end-of-life (EoL) status.
Tracked as CVE-2023-20126 (CVSS score of 9.8), the flaw impacts the web-based management interface of the phone adapters and can be exploited without authentication.
The issue, Cisco explains in its advisory, exists because of “a missing authentication process within the firmware upgrade function”.
To exploit the bug, a remote attacker needs to upgrade a device to a crafted firmware version, which would allow them to execute arbitrary code with full privileges.
Given that the SPA112 2-Port phone adapters are no longer supported (they reached EoL on June 1, 2020), Cisco does not plan to release firmware updates to address the vulnerability.
Instead, the tech giant recommends that customers migrate to an ATA 190 Series analog telephone adapter.
Cisco says it is not aware of the vulnerability being exploited in malicious attacks. However, unpatched, vulnerable Cisco devices are known to have been exploited in the wild and organizations should consider eliminating the SPA112 2-Port phone adapters from their environments as soon as possible.
Related: Cisco Working on Patch for Vulnerability Reported by NATO Pentester
Related: Cisco Patches Critical Vulnerabilities in Industrial Network Director, Modeling Labs
Related: US, UK: Russia Exploiting Old Vulnerability to Hack Cisco Routers
Related: Cisco Patches Code and Command Execution Vulnerabilities in Several Products