Cisco on Wednesday rolled out safety updates to deal with a vital flaw impacting its IP Telephone 6800, 7800, 7900, and 8800 Collection merchandise.
The vulnerability, tracked as CVE-2023-20078, is rated 9.8 out of 10 on the CVSS scoring system and is described as a command injection bug within the web-based administration interface arising as a result of inadequate validation of user-supplied enter.
Profitable exploitation of the bug might permit an unauthenticated, distant attacker to inject arbitrary instructions which can be executed with the very best privileges on the underlying working system.
“An attacker might exploit this vulnerability by sending a crafted request to the web-based administration interface,” Cisco stated in an alert revealed on March 1, 2023.
Additionally patched by the corporate is a high-severity denial-of-service (DoS) vulnerability affecting the identical set of gadgets, in addition to the Cisco Unified IP Convention Telephone 8831 and Unified IP Telephone 7900 Collection.
CVE-2023-20079 (CVSS rating: 7.5), additionally a results of inadequate validation of user-supplied enter within the web-based administration interface, may very well be abused by an adversary to trigger a DoS situation.
Whereas Cisco has launched Cisco Multiplatform Firmware model 11.3.7SR1 to resolve CVE-2023-20078, the corporate stated it doesn’t plan to repair CVE-2023-20079, as each the Unified IP Convention Telephone fashions have entered end-of-life (EoL).
Uncover the Newest Malware Evasion Ways and Prevention Methods
Able to bust the 9 most harmful myths about file-based assaults? Be part of our upcoming webinar and develop into a hero within the battle in opposition to affected person zero infections and zero-day safety occasions!
The corporate stated it isn’t conscious of any malicious exploitation makes an attempt focusing on the flaw. It additionally stated the issues had been found throughout inside safety testing.
The advisory comes as Aruba Networks, a subsidiary of Hewlett Packard Enterprise, launched an replace to ArubaOS to remediate a number of unauthenticated command injection and stack-based buffer overflow flaws (from CVE-2023-22747 via CVE-2023-22752, CVSS scores: 9.8) that might end in code execution.