May 18, 2023

CISCO Patches Critical Vulnerabilities

Cisco has addressed four critical RCE (Remote Code Execution) vulnerabilities discovered in multiple Small Business Series Switches. Successful exploit of any of the vulnerabilities could allow a threat actor to execute arbitrary code with root privileges on compromised devices.

The vulnerabilities are triggered by incorrect validation of requests delivered to the web interfaces of the targeted switches.

The Vulnerabilities

• CVE-2023-20159 (CVSS score: 9.8, Critical)
• CVE-2023-20160 (CVSS score: 9.8, Critical)
• CVE-2023-20161 (CVSS score: 9.8, Critical)
• CVE-2023-20189 (CVSS score: 9.8, Critical)

Affected Products

• 250 Series Smart Switches
• 350 Series Managed Switches
• 350X Series Stackable Managed Switches
• 550X Series Stackable Managed Switches
• Business 250 Series Smart Switches
• Business 350 Series Managed Switches
• Small Business 200 Series Smart Switches
• Small Business 300 Series Managed Switches
• Small Business 500 Series Stackable Managed Switches

Mitigation

CYREBRO updating relevant products up to the latest version.

Note: According to Cisco, the 200, 300, and 500 Series Small Business Switches firmware will not be patched due to the fact that these devices have already entered the end-of-life process.

References: Cisco Advisory.