This week, Cisco has released software updates to fix a crucial vulnerability found in the web-based management interface of their 6800, 7800, and 8800 series IP phones.
Tracked as CVE-2023-20078 (CVSS score of 9.8), the issue can be exploited by an unauthenticated, remote attacker to execute code with root privileges. The security defect exists because user input is not sufficiently validated. “An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system of an affected device,” the tech giant explains.
Vulnerable products include IP Phone 6800, 7800, and 8800 series devices, with multiplatform firmware. The flaw was addressed with the release of firmware version 11.3.7SR1. The firmware update also addresses CVE-2023-20079 (CVSS score of 7.5), another insufficient validation of user-provided input bug, which could be exploited to cause a denial-of-service (DoS) condition. In addition to the aforementioned devices, the vulnerability also impacts Cisco’s unified IP conference phone 8831, unified IP conference phone 8831 with multiplatform firmware, and unified IP phone 7900 series devices, which have reached end-of-life (EoL) status and will not receive patches.
Cisco says it is not aware of any of these vulnerabilities being exploited in malicious attacks. This week, the tech giant also released software updates that resolve medium-severity vulnerabilities in Webex App for Web, Finesse, and Prime Infrastructure and Evolved Programmable Network (EPN) Manager. The company also announced that it was working on patches for two medium-severity issues impacting Unified Intelligence Center. Version 12.6(2) of Unified Intelligence Center, expected to arrive in March, will address both flaws.
Cisco this week has released multiple software updates to address vulnerabilities in its products, including a critical vulnerability in the web-based management interface of its 6800, 7800, and 8800 series IP phones. The company has also released updates to address medium-severity vulnerabilities in Webex App for Web, Finesse, and Prime Infrastructure and Evolved Programmable Network (EPN) Manager, and is working on patches for two medium-severity issues impacting Unified Intelligence Center.
Key points:
- Cisco this week released software updates that address a critical vulnerability in the web-based management interface of its 6800, 7800, and 8800 series IP phones.
- The security defect exists because user input is not sufficiently validated.
- The company has also released updates to address medium-severity vulnerabilities in Webex App for Web, Finesse, and Prime Infrastructure and Evolved Programmable Network (EPN) Manager.
- Cisco is also working on patches for two medium-severity issues impacting Unified Intelligence Center.