Cisco has warned users of a critical vulnerability in its VOIP-telephony Cisco SPA112 adapter control interface, which could allow hackers to execute arbitrary code on a vulnerable device. The vulnerability, identified as CVE-2023-20126 and given a CVSS rating of 9.8, is a result of the firmware update function’s lack of authentication. Potential attackers can exploit this flaw by updating the vulnerable device to a specially created firmware version, giving them the freedom to execute arbitrary code on any affected device with full privileges.
Although Cisco SPA112 telephone adapters, popular for VOIP use, are prevalent in many organizations, the vulnerability can only be exploited through a local network as affected devices are typically not connected to the internet. However, these devices can serve as a kind of gateway for attackers to move around a network unnoticed as traditional security tools do not track this type of device. Moreover, the situation is made worse by the fact that Cisco SPA112 is no longer supported by the supplier, and there are no protection measures available for CVE-2023-20136.
Cisco is recommending that users replace vulnerable devices or introduce additional security measures to protect against a possible attack. The analog telephone adapter Cisco ATA190 is the recommended replacement model, serving until March 31, 2024. Cisco is currently unaware of any cases of active exploitation of CVE-2023-20136, but this can change quickly, so administrators are urged to take appropriate security measures. Critical vulnerabilities in already unsupported popular devices are possible targets for significant security incidents.