"Cisco Warns of Critical Vulnerability in EoL Phone Adapters"

Cisco recently raised the alarm on a critical remote code execution (RCE) vulnerability impacting SPA112 2-Port phone adapters, which have reached end-of-life (EoL) status.  Tracked as CVE-2023-20126 (CVSS score of 9.8), the flaw impacts the web-based management interface of the phone adapters and can be exploited without authentication.  Cisco noted that the issue exists because of “a missing authentication process within the firmware upgrade function.”  To exploit the bug, a remote attacker needs to upgrade a device to a crafted firmware version, which would allow them to execute arbitrary code with full privileges.  Cisco stated that given that the SPA112 2-Port phone adapters are no longer supported (they reached EoL on June 1, 2020), it does not plan to release firmware updates to address the vulnerability.  Instead, the tech giant recommends that customers migrate to an ATA 190 Series analog telephone adapter.  Cisco says it is not aware of the vulnerability being exploited in malicious attacks.  However, unpatched, vulnerable Cisco devices are known to have been exploited in the wild, and organizations should consider eliminating the SPA112 2-Port phone adapters from their environments as soon as possible.

SecurityWeek reports: "Cisco Warns of Critical Vulnerability in EoL Phone Adapters"