Cisco phone adapters vulnerable to RCE attacks, no fix available
Cisco has disclosed a critical vulnerability (CVE-2023-20126) in the web-based management interface of Cisco SPA112 2-Port Phone Adapters, which allows an unauthenticated, remote attacker to execute arbitrary code on the devices. The vulnerability is caused by a missing authentication process within the firmware upgrade function. These phone adapters are popular for incorporating analog phones into VoIP networks without upgrading. However, since Cisco SPA112 has reached the end of its life, it is no longer supported by the vendor and will not receive a security update. Cisco has provided no mitigations for this vulnerability and recommends replacing the impacted phone adapters or implementing additional security layers to protect them from attacks. CVEs: CVE-2023-20126, CVE-2023-20136 [View Article](https://www.bleepingcomputer.com/news/security/cisco-phone-adapters-vulnerable-to-rce-attacks-no-fix-available/)