Cisco on Wednesday rolled out security updates to address a critical flaw impacting its IP Phone 6800, 7800, 7900, and 8800 Collection products.
The vulnerability, tracked as CVE-2023-20078, is rated 9.8 out of 10 on the CVSS scoring technique and is explained as a command injection bug in the web-dependent management interface arising thanks to insufficient validation of user-provided input.
Profitable exploitation of the bug could let an unauthenticated, remote attacker to inject arbitrary instructions that are executed with the best privileges on the fundamental functioning procedure.
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
“An attacker could exploit this vulnerability by sending a crafted ask for to the web-primarily based management interface,” Cisco explained in an inform released on March 1, 2023.
Also patched by the firm is a high-severity denial-of-services (DoS) vulnerability impacting the exact established of devices, as perfectly as the Cisco Unified IP Convention Phone 8831 and Unified IP Phone 7900 Collection.
CVE-2023-20079 (CVSS score: 7.5), also a consequence of inadequate validation of consumer-provided input in the web-dependent management interface, could be abused by an adversary to bring about a DoS condition.
Whilst Cisco has launched Cisco Multiplatform Firmware variation 11.3.7SR1 to resolve CVE-2023-20078, the corporation stated it does not plan to take care of CVE-2023-20079, as equally the Unified IP Meeting Phone models have entered conclude-of-life (EoL).
The firm claimed it really is not knowledgeable of any malicious exploitation tries focusing on the flaw. It also stated the flaws had been identified during internal security testing.
The advisory arrives as Aruba Networks, a subsidiary of Hewlett Packard Company, introduced an update to ArubaOS to remediate a number of unauthenticated command injection and stack-dependent buffer overflow flaws (from CVE-2023-22747 through CVE-2023-22752, CVSS scores: 9.8) that could outcome in code execution.
Observed this post attention-grabbing? Comply with us on Twitter and LinkedIn to read additional exclusive content we publish.
Some parts of this post are sourced from:
thehackernews.com