- 05/05/2023 --- v1.0 -- Initial publication
On May 3, 2023, Cisco released an advisory to address a critical vulnerability in the web-based management system of the Cisco SPA112 2-Port Phone Adapters. The vulnerability is tracked as
CVE-2023-20126 and has a CVSS score of 9.8 .
A vulnerability in the web-based management interface of Cisco SPA112 2-Port Phone Adapters could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to a missing authentication process within the firmware upgrade function. An attacker could exploit this vulnerability by upgrading an affected device to a crafted version of firmware. A successful exploit could allow the attacker to execute arbitrary code on the affected device with full privileges .
There are currently no reports yet of an active exploitation of this vulnerability .
This vulnerability affects all firmware releases for Cisco SPA112 2-Port Phone Adapters .
Moreover, Cisco has not released and will not release firmware updates to address the vulnerability, because Cisco SPA112 2-Port Phone Adapters have entered the end of-life process and are no longer supported .
CERT-EU encourage constituents to discontinue using the product, as well as verify if any other similar -- possibly also no longer supported -- products are in use.
There are no workarounds that address this vulnerability.