Cisco on Wednesday rolled out security updates to address a critical flaw impacting its IP Phone 6800, 7800, 7900, and 8800 Collection products.
The vulnerability, tracked as CVE-2023-20078, is rated 9.8 out of 10 on the CVSS scoring technique and is explained as a command injection bug in the web-dependent management interface arising thanks to insufficient validation of user-provided input.
Profitable exploitation of the bug could let an unauthenticated, remote attacker to inject arbitrary instructions that are executed with the best privileges on the fundamental functioning procedure.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
“An attacker could exploit this vulnerability by sending a crafted ask for to the web-primarily based management interface,” Cisco explained in an inform released on March 1, 2023.
Also patched by the firm is a high-severity denial-of-services (DoS) vulnerability impacting the exact established of devices, as perfectly as the Cisco Unified IP Convention Phone 8831 and Unified IP Phone 7900 Collection.
CVE-2023-20079 (CVSS score: 7.5), also a consequence of inadequate validation of consumer-provided input in the web-dependent management interface, could be abused by an adversary to bring about a DoS condition.
Whilst Cisco has launched Cisco Multiplatform Firmware variation 11.3.7SR1 to resolve CVE-2023-20078, the corporation stated it does not plan to take care of CVE-2023-20079, as equally the Unified IP Meeting Phone models have entered conclude-of-life (EoL).
The firm claimed it really is not knowledgeable of any malicious exploitation tries focusing on the flaw. It also stated the flaws had been identified during internal security testing.
The advisory arrives as Aruba Networks, a subsidiary of Hewlett Packard Company, introduced an update to ArubaOS to remediate a number of unauthenticated command injection and stack-dependent buffer overflow flaws (from CVE-2023-22747 through CVE-2023-22752, CVSS scores: 9.8) that could outcome in code execution.
Observed this post attention-grabbing? Comply with us on Twitter and LinkedIn to read additional exclusive content we publish.
Some parts of this post are sourced from: