On May 3, 2023, Cisco released an advisory to address a critical vulnerability in the web-based management system of the Cisco SPA112 2-Port Phone Adapters. The vulnerability is tracked as CVE-2023-20126 and has a CVSS score of 9.8.
A vulnerability in the web-based management interface of Cisco SPA112 2-Port Phone Adapters
could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to a missing authentication process within the firmware upgrade function. An attacker could exploit this vulnerability by upgrading an affected device to a crafted version of firmware. A successful exploit could allow the attacker to execute arbitrary code on the affected device with full privileges.
There are currently no reports yet of an active exploitation of this vulnerability.
3.0 Affected Products
This vulnerability affects all firmware releases for Cisco SPA112 2-Port Phone Adapters.
Moreover, Cisco has not released and will not release firmware updates to address the vulnerability, because Cisco SPA112 2-Port Phone Adapters have entered the end of-life process and are no longer supported.
MyCERT encourage constituents to discontinue using the product, as well as verify if any other similar – possibly also no longer supported – products are in use.
Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.
For further enquiries, please contact MyCERT through the following channels:
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 09:00 -18:00 MYT