Cisco has disclosed a vulnerability in the web management interface of the Cisco SPA112 2-Port Phone Adapters, allowing an unauthenticated remote attacker to execute arbitrary code on the devices.

Tracked as CVE-2023-20126 and having a “critical” CVSS score of 9.8, this vulnerability is caused by a missing authentication process in the firmware upgrade function.

“An attacker could exploit this vulnerability by upgrading an affected device to a specially crafted version of firmware,” it reads. Cisco Security Bulletin

“A successful exploit could allow the attacker to execute arbitrary code on the affected device with full privileges.”

These phone adapters are a popular choice in the industry for integrating analog phones into VoIP networks without upgrading.

Although these adapters can be used in many organizations, they are unlikely to be exposed to the Internet, making these flaws primarily exploitable from the local network.

However, gaining access to these devices could help a malicious actor spread laterally across a network undetected, as security software typically does not monitor these types of devices.

Because Cisco SPA112 has reached the end of its life, it is no longer supported by the vendor and will not receive a security update. Additionally, Cisco has not provided any mitigations for CVE-2023-20136.

Cisco’s security bulletin aims to raise awareness of the need to replace affected telephony adapters or implement additional layers of security to protect them from attacks.

The recommended replacement model is the Cisco ATA 190 Series Analog Telephone Adapter, which has a designated end-of-life date of March 31, 2024.

The company is not aware of any instances of CVE-2023-20136 being actively exploited in the wild, but this could change at any time, so administrators are advised to take appropriate precautions urgently.

Critical-severity flaws on once-popular devices are potential candidates for use in attacks, potentially leading to large-scale security incidents.