Cisco Alerts of Vulnerabilities in Popular Phone Adapters, Urges Migration to Newer Models
Cisco has warned about a critical security flaw in the SPA112 2-Port Phone Adapters that it says could be exploited by remote attackers to execute arbitrary code on affected devices.
The problem is, being tracked as CVE-2023-20126, rated 9.8 out of 10 on the CVSS rating system. The company credits Catalpa from DBappSecurity for reporting the flaw.
That the product in question makes it possible to connect analog phones and fax machines to a VoIP service provider without the need for an upgrade.
“This vulnerability is caused by a missing authentication process in the firmware update function,” the company said said in a newsletter.
“An attacker can exploit this vulnerability by upgrading the affected device to a manufactured firmware version. A successful exploit could allow an attacker to execute arbitrary code on the affected device with full privileges.”
Despite the severity of the flaw, the network equipment maker said it has no intention of releasing a fix because the device reached end-of-life status (EoL) on June 1, 2020.
It instead recommends that users migrate to a Cisco ATA 190 Series Analog Phone Adapter, which is set to accept it Last update on March 31, 2024. There is no evidence that the flaw has been maliciously exploited in the wild.