Cisco warns of a critical vulnerability in the web interface of the SPA112 Dual Port Phone Adapters.
The issue allows a remote, unauthenticated attacker to execute arbitrary code. Since the support period for the Cisco SPA112 has already come to an end, you can not wait for the release of updates.Let me remind you that we also wrote that Vulnerability in Cisco WebEx and Zoom allows listening to other people’s conversations, and also that Yanluowang Ransomware Hacked Cisco.
And also information security specialists warned that Cisco Won’t Fix an RCE Vulnerability in Old RV Routers.
The latest vulnerability was given the identifier CVE-2023-20126 and the status of “critical” (9.8 points out of 10 possible on the CVSS scale). The developers report that the problem is due to the lack of an authentication process in the firmware update function.
I must say that such phone adapters are a very popular solution for connecting analog phones to VoIP. Although such adapters can be used in many organizations, they are most likely not connected to the Internet, that is, the vulnerability can only be exploited from the local network.
However, vulnerable devices can help attackers get into the network undetected because security software usually doesn’t track these types of devices.
As support for the Cisco SPA112 ended in 2020, the devices are no longer supported by the manufacturer and do not receive security updates. In their bulletin, Cisco does not offer any protection against CVE-2023-20126.
In fact, the manufacturer’s bulletin is only aimed at raising awareness, and also reminding companies to replace outdated telephone adapters and implement additional layers of security.