Cisco has warned of a critical vulnerability in the web interface of the SPA112 Dual Port Phone Adapters. The issue allows a remote, unauthenticated attacker to execute arbitrary code. As the support period for the Cisco SPA112 has already ended, no updates are available to address the issue.
The vulnerability has been assigned the identifier CVE-2023-20126 and has been given a critical rating of 9.8 out of 10 on the CVSS scale. According to the developers, the problem is caused by the lack of an authentication process in the firmware update function.
An attacker could exploit this vulnerability by updating the affected device’s firmware to a modified one. If successful, the attacker would be able to execute arbitrary code on the vulnerable device with full privileges.
The SPA112 Dual Port Phone Adapters are a popular solution for connecting analog phones to VoIP. Although these adapters can be used in many organizations, they are usually not connected to the Internet, meaning the vulnerability can only be exploited from the local network. However, vulnerable devices can help attackers gain access to the network undetected, as security software typically does not monitor these types of devices.
Since support for the Cisco SPA112 ended in 2020, the devices are no longer supported by the manufacturer and do not receive security updates. Cisco’s bulletin does not provide any protection against CVE-2023-20126, but rather serves to raise awareness and remind companies to replace outdated telephone adapters and implement additional layers of security.
