CVE-2023-20126Missing Authentication for Critical Function in Cisco Small Business IP Phones

CWE-306Missing Authentication for Critical Function4 documents4 sources
Severity
9.8CRITICALNVD
EPSS
73.9%
top 1.17%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Cisco Small Business IP PhonesCisco Spa112 Firmware
Timeline
PublishedMay 4

Description

A vulnerability in the web-based management interface of Cisco SPA112 2-Port Phone Adapters could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to a missing authentication process within the firmware upgrade function. An attacker could exploit this vulnerability by upgrading an affected device to a crafted version of firmware. A successful exploit could allow the attacker to execute arbitrary code on the affected device with

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

🔴Vulnerability Details

2
CVEList
Cisco SPA112 2-Port Phone Adapters Remote Command Execution Vulnerability2023-05-04
GHSA
GHSA-x7fj-4595-2pp2: A vulnerability in the web-based management interface of Cisco SPA112 2-Port Phone Adapters could allow an unauthenticated, remote attacker to execute2023-05-04

📋Vendor Advisories

1
Cisco
Cisco SPA112 2-Port Phone Adapters Remote Command Execution Vulnerability2023-05-03
CVE-2023-20126 — Cisco vulnerability | cvebase