Cisco has released security updates for vulnerabilities impacting its IP Phone 6800, 7800, 7900, and 8800 Series products.
The first vulnerability is tracked as CVE-2023-20078 and has a CVSS score of 9.8. According to Cisco, the flaw could allow an unauthenticated, remote attacker to inject arbitrary commands that are executed with root privileges. The vulnerability impacts the following products:
The second vulnerability is tracked as CVE-2023-20079 and has a CVSS score of 7.5. CVE-2023-20079 is due to insufficient validation of user-supplied input. It could allow an unauthenticated, remote attacker to cause a DoS condition. According to Cisco, the bug is in the web-based management interface of the following products:
There are no workarounds to address the vulnerabilities, but the company has released Cisco Multiplatform Firmware version 11.3.7SR1 to resolve CVE-2023-20078. Cisco stated that they will not release software updates to address CVE-2023-20079, as the products have reached the end-of-life process. It is highly recommended that organizations apply the appropriate updates as soon as possible.
At this time, there are no known IoCs associated with CVE-2023-20078 and CVE-2023-20079. Avertium’s threat hunters remain vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.
Cisco IP Phone 6800, 7800, 7900, and 8800 Series Web UI Vulnerabilities
Critical Flaw in Cisco IP Phone Series Exposes Users to Command Injection Attack (thehackernews.com)
Cisco patches critical bugs in IP Phones | SC Media (scmagazine.com)