Cisco Releases Security Update for IP Phone Systems

Cisco Releases Security Update for IP Phone Systems

Cisco has released software fixes for multiple versions of firmware running on some of its IP phones, the company announced in an advisory. The advisory covers two vulnerabilities that affect six products, including the 6800 series, 7800 series, and 8800 series phones running the company’s multiplatform firmware.

 

The first vulnerability, CVE-2023-20078 (CVSS score 9.8), allows an unauthenticated remote attacker to send a crafted request to the phone’s web-based management interface and execute arbitrary operating system commands with root privilege. The second vulnerability, CVE-2023-20079 (CVSS score 7.5), allows an unauthenticated remote attacker to force a device reload, leading to denial-of-service. Affected firmware versions are prior to 11.3.7SR1, however, the affected United IP conference phones are already end-of-life and won’t be patched.

 

The vulnerabilities were discovered during internal security testing. Cisco has released software fixes for the affected products and recommends users update their firmware as soon as possible.