Critical RCE vulnerability in Cisco phone adapters, no update available (CVE-2023-20126)

Cisco has revealed the existence of a critical vulnerability (CVE-2023-20126) in the web-based management interface of Cisco SPA112 2-Port Phone Adapters.

The adapters are widely used to integrate analog phones into VoIP networks without the need for an upgrade.

About the vulnerability (CVE-2023-20126)

CVE-2023-20126 can be exploited without prior authentication.

“This vulnerability is due to a missing authentication process within the firmware upgrade function. An attacker could exploit this vulnerability by upgrading an affected device to a crafted version of firmware,” Cisco’s security advisory explains.

“A successful exploit could allow the attacker to execute arbitrary code on the affected device with full privileges.”

The vulnerability has been reported privately and there are no indications that it has been exploited in the wild.

Remediation

The vulnerable adapter is no longer supported, meaning that Cisco will not be releasing firmware updates to fix this vulnerability.

With no fixes and workarounds available, Cisco is urging customers to migrate to a newer device.

In the security advisory, says users should migrate to a Cisco ATA 190 Series Analog Telephone Adapter, but the EOL document for the Cisco SPA112 2-Port Phone Adapter points to the Cisco ATA 191 Series Analog Telephone Adapter as a fitting replacement.