Cisco SPA112 2-Port Phone Adapters Remote Command Execution Vulnerability
CVE-2023-20126

9.8CRITICAL

Key Information:

Vendor: Cisco
Status: Cisco Small Business Ip Phones
Vendor: CVE Published:; 4 May 2023

Badges

👾 Exploit Exists🟡 Public PoC

Summary

A critical flaw in the web-based management interface of the Cisco SPA112 2-Port Phone Adapter allows unauthenticated attackers to execute arbitrary code. This vulnerability stems from an absence of authentication during the firmware upgrade process, which could enable an attacker to upload a malicious firmware version. If successfully exploited, the attacker gains complete system privileges, putting the device and potentially the larger network at significant risk. Cisco has not yet provided any firmware updates to mitigate this issue.

Affected Version(s)

Cisco Small Business IP Phones

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

RancidCrisco
Created by fullspectrumdev

References

https://sec.cloudapps.cisco.com/security/center/content/C...

vendor-advisory

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
May 17, 2023
👾
Exploit known to exist
May 17, 2023
Vulnerability published
May 4, 2023
Vulnerability Reserved
Oct 27, 2022