March 2, 2023

Cisco Patches Critical Web UI RCE Vulnerability in Multiple IP Phones

Cisco has patched a critical security vulnerability discovered in the Web UI of several IP Phone models, which unauthenticated and remote threat actors can exploit in remote code execution (RCE) attacks.

The RCE Vulnerability

• CVE-2023-20078 (CVSS score: 9.8) – A vulnerability in the web-based management interface of certain Cisco IP Phones, could allow an unauthenticated, remote threat actor to execute arbitrary code (RCE) or cause a denial of service (DoS) condition.

Affected Products

• IP Phone 6800 Series with Multiplatform Firmware
• IP Phone 7800 Series with Multiplatform Firmware
• IP Phone 8800 Series with Multiplatform Firmware
• Unified IP Conference Phone 8831
• Unified IP Conference Phone 8831 with Multiplatform Firmware
• Unified IP Phone 7900 Series

Mitigation

CYREBRO recommends updating Cisco Multiplatform Firmware to the patched Release 11.3.7SR1 (12.0.1 release is unaffected).

Note

Cisco also announced in December that it would release patches for a high-severity zero-day vulnerability (CVE-2022-20968) with public exploit code discovered in the Cisco Discovery Protocol (CDP) processing feature of Cisco IP Phones running 7800 and 8800 Series firmware.

While a security update for CVE-2022-20968 is not yet available, administrators are advised to disable CDP on affected IP Phone devices that support Link Layer Discovery Protocol (LLDP) to eliminate the attack vector.

References: Cisco Advisory