Cisco has issued a warning about a critical security flaw in the SPA112 2-Port phone adapters that can be exploited to run arbitrary code with elevated privileges on the affected device. The vulnerability in question is tracked as CVE-2023-20126 with a rating of 9.8 out of 10 on the CVSS scale and was reported by CataLpa from Dbappsecurity. There’s no evidence of the flaw being exploited in the wild at the moment.
Specifically, the issue lies in the web-based management interface of the adapter and is caused due to a missing authentication process within the firmware upgrade feature. The vulnerability can be exploited by upgrading the vulnerable devices to a maliciously crafted firmware version. A successful exploit can allow an attacker to execute arbitrary code on the compromised device with full privileges.
However, since the SPA112 2-Port phone adapters have reached their end-of-life process, Cisco won’t be releasing firmware updates to address the issue. The company disclosed the vulnerability and issued a bulletin seemingly to raise awareness and prevent any possible attacks.
Instead, customers are recommended to migrate to the ATA 190 Series Analog Telephone Adapter, which will receive its final update on March 31, 2024. Considering there are no workarounds to prevent exploitation either, a replacement is the best way to prevent exploitation.
These phone adaptors are used to connect analogue phones and fax machines to a VoIP service provider without the need for an upgrade and are quite popular across the industry. Since they’re not usually exposed to the internet, any flaws can generally only be exploited from within the local network. That said, compromising such devices and gaining access can allow a threat actor to spread laterally across the network without detection as these devices aren’t generally monitored by security programs either.
In the News: Pixel Fold is official; will be launched at Google I/O 2023