In today’s cybersecurity Alert, the SensCy team urges CISCO users to immediately install the latest security updates from CISCO.
In an earlier release, Cisco explained that a critical security vulnerability (CVE-2023-20078) was found in the Web IU of multiple Phone models, allowing attackers to inject arbitrary commands that will be executed with root privileges following successful exploitation.
A second vulnerability (CVE-2023-20079) was also found that be abused to trigger Denial-of-Service attacks.
Here is the list of affected devices:
- Cisco IP Phone 6800, 7800, and 8800 series devices with Multiplatform Firmware (vulnerable to both RCE and DoS attacks)
- Unified IP Conference Phone 8831, Unified IP Conference Phone 8831 with Multiplatform Firmware,
- Unified IP Phone 7900 Series (only vulnerable to DoS attacks).
A patch was released for CVE-2023-20078 but the company will not patch CVE-2023-20079 since the devices impacted have entered the end-of-life process, meaning they will not receive any support from Cisco.