Cisco Warns of Critical Vulnerability in EoL Phone Adapters

Cisco has recently issued a warning regarding a serious vulnerability affecting SPA112 2-Port phone adapters, which are now considered end-of-life (EoL). Identified as CVE-2023-20126 with a CVSS score of 9.8, this flaw specifically impacts the web-based management interface of these phone adapters and can be exploited without requiring authentication. The vulnerability arises due to a lack of authentication during the firmware upgrade process, as explained by Cisco in its advisory. Exploiting this bug involves remotely upgrading a device to a manipulated firmware version, granting the attacker the ability to execute arbitrary code with complete privileges. Since the SPA112 2-Port phone adapters are no longer supported (reaching EoL on June 1, 2020), Cisco does not intend to release any firmware updates to fix the vulnerability. Instead, the company advises customers to transition to an ATA 190 Series analog telephone adapter. While there have been no known instances of this vulnerability being exploited maliciously, it is important to note that unpatched and susceptible Cisco devices have been targeted in real-world attacks. Therefore, organizations should prioritize removing the SPA112 2-Port phone adapters from their environments promptly.