Cisco alerts of critical switch bugs with public exploit

Cisco issued a warning to its customers about critical vulnerabilities in several Small Business Series Switches.

These vulnerabilities, identified as CVE-2023-20159, CVE-2023-20160, CVE-2023-20161, and CVE-2023-20189, have received high severity ratings and can be exploited remotely by attackers to execute arbitrary code with root privileges.

IMPORTANT - Proof-of-concept exploit code is already available, which means that exploitation by threat actors will start soon if it hasn't already.

Cisco has released free software updates that address the vulnerabilities described in this advisory. Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels.

Affected switches

• 250 Series Smart Switches
• 350 Series Managed Switches
• 350X Series Stackable Managed Switches
• 550X Series Stackable Managed Switches
• Business 250 Series Smart Switches
• Business 350 Series Managed Switches
• Small Business 200 Series Smart Switches
• Small Business 300 Series Managed Switches
• Small Business 500 Series Stackable Managed Switches

The flaws stem from inadequate validation of requests sent to the switches' web interfaces. Exploitation does not require user interaction and can be achieved through specially crafted requests.

The vulnerabilities are independent of each other, and a device affected by one may not be affected by others. Cisco has provided firmware updates to address the issues for some switch models, while certain Small Business Series Switches that have reached end-of-life status will not receive patches.

Vulnerable and fixed software versions

250 Series Smart Switches, 350 Series Managed Switches, 350X Series Stackable Managed Switches, and 550X Series Stackable Managed Switches

Business 250 Series Smart Switches and Business 350 Series Managed Switches