Cisco IP Phone Web UI Vulnerabilities - 20230303001¶
Overview¶
Multiple vulnerabilities in the web-based management interface of certain Cisco IP Phones could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition.
The vulnerabilities are not dependent on one another. Exploitation of one of the vulnerabilities is not required to exploit the other vulnerability. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerability.
What is vulnerable?¶
Cisco IP Phone 6800, 7800, 7900, and 8800 Series
What is the vulnerability?¶
CVE-2023-20078
This vulnerability affects the following Cisco products if they are running a vulnerable release of Cisco Multiplatform Firmware:
- IP Phone 6800 Series with Multiplatform Firmware
- IP Phone 7800 Series with Multiplatform Firmware
- IP Phone 8800 Series with Multiplatform Firmware
CVE-2023-20079
This vulnerability affects the following Cisco products if they are running a vulnerable release of Cisco Multiplatform Firmware or Cisco Unified Software:
- IP Phone 6800 Series with Multiplatform Firmware
- IP Phone 7800 Series with Multiplatform Firmware
- IP Phone 8800 Series with Multiplatform Firmware
- Unified IP Conference Phone 8831
- Unified IP Conference Phone 8831 with * Multiplatform Firmware
- Unified IP Phone 7900 Series
For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory.
What has been observed?¶
CISA has added one new vulnerability to its [Known Exploited Vulnerabilities Catalog] https://www.cisa.gov/news-events/alerts/2023/03/02/cisco-releases-security-advisory-cisco-ip-phones, based on evidence of active exploitation.
Recommendation¶
Refer to the appropriate Cisco Security Bulletin for patch, upgrade or suggested workaround information. See References.