CISCO EOL IP Phone has a Critical RCE Bug
Cisco issue a warning about a critical flaw impacting its IP phone ports allow unauthenticated attackers to execute code remotely on targeted devices and gain full admin privileges.
Cisco has not released and will not release firmware updates to address the vulnerability that is described in this advisory and urging customers still using the impacted model, SPA 112 2-Port Phone Adapters, to upgrade to its Cisco ATA 190 Series Analog Telephone Adapter to mitigate the flaw.
The vulnerable IP phone adapter is part of its small business line of IP phones. The bug tracked as CVE-2023-20126 with a CVSS score of 9.8 is due to a missing authentication process within the firmware upgrade function, Cisco reported on Wednesday. Successful exploit could give an attacker full privilege on an affected device.
Cisco retired the SPA 112 2-Port Phone Adapters December 2019 and said end-of-life security support for the product would be June 2020. It’s unclear how many impacted models might still be in use today and said it was not aware of the vulnerability being exploited in the wild.