Skip to content

Critical flaws in Cisco switch can allow unauthorised remote access

  • by
  • 2 min read

Cisco has warned customers about a set of four critical remote code execution vulnerabilities that can let attackers execute arbitrary code with root privileges on compromised devices. The issue is caused by improper validation of requests sent to the targeted switches’ web interfaces and affects multiple Small Business Series switches. Affected devices include:

  • 250 Series Smart Switches, 350 Series Managed Switches, 350X Series Stackable Managed Switches and 550X Series Stackable Managed Switches (fixed in firmware version 2.5.9.16)
  • Business 250 Series Smart Switches and Business 350 Series Managed Switches (fixed in firmware version 3.3.0.16)
  • Small Business 200 Series Smart Switches, Small Business 300 Series Managed Switches, Small Business 500 Series Stackable Managed Switches (no patch available at the time of writing)

The 200, 300 and 500 series Small Business Switches are also affected by the vulnerabilities but won’t receive a firmware update as these devices have already entered their end-of-life process as per Cisco’s announcement

As for the vulnerabilities themselves, they’re tracked as CVE-2023-20159, CVE-2023-20160, CVE-2023-20161 and CVE-2023-20189. All of these vulnerabilities have a CVSS score of 9.8/10 and a critical rating. Additionally, they’re not dependent on one another, meaning you can exploit one without exploiting another. 

The vulnerabilities are part of a larger vulnerability set. Five other vulnerabilities tracked as CVE-2023-20024 (CVSS score 8.6), CVE-2023-20156 (CVSS score 8.6), CVE-2023-20157 (CVSS score 8.6), CVE-2023-20158 (CVSS score 8.6) and CVE-2023-20162 (CVSS score 7.5) were also announced. 

They can be exploited by sending a specially crafted request through the web-based user interface. Additionally, they can also be abused to trigger a DoS condition or read unauthorised information on affected systems via a malicious request. 

The Cisco Product Security Incident Response Team (PSIRT) also revealed that proof-of-concept exploit is already available in the wild, meaning affected devices exposed to the internet are at risk. However, PSIRT has yet to find evidence that suggests active exploitation of these vulnerabilities. 

In the News: Lancefly hackers gathered intel from Asian Gov targets from 2022-23

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>