"Cisco Fixed a Critical Command Injection Bug in IP Phone Series"

To address a critical vulnerability, Cisco has released security updates for its IP Phone 6800, 7800, 7900, and 8800 Series products. The flaw, tracked as CVE-2023-20078, is a web-based management interface command injection vulnerability. Insufficient validation of user-supplied input is the root cause of the vulnerability. A remote, unauthenticated attacker could exploit this flaw to execute arbitrary commands with the highest privileges on the underlying operating system. The IT giant also patched a Denial-of-Service (DoS) vulnerability that affected the same IP Phone series products. The Cisco Unified IP Conference Phone 8831 and Unified IP Phone 7900 Series are affected. In order to fix CVE-2023-20078, Cisco recommends migrating Cisco Multiplatform Firmware versions earlier than 11.3.7SR1 to a fixed release. The company will not distribute fixes for CVE-2023-20079 in Unified IP Conference Phone models that have reached end-of-life (EoL) status. This article continues to discuss the critical vulnerability impacting Cisco's IP Phone 6800, 7800, 7900, and 8800 Series products.

Security Affairs "Cisco Fixed a Critical Command Injection Bug in IP Phone Series"