Executive Summary

Multiple Vulnerabilities in the web-based management interface for the Cisco IP Phones: 6800, 7800, 7900, and 8800 have been identified. The vulnerabilities are tracked as CVE-2023-20078 and CVE-2023-20079.

What’s the risk to me or my business?

Successful exploitation of the vulnerabilities could allow an attacker to remotely execute code or cause a denial of service (DoS). The vulnerabilities are not dependent on each other and can therefore be executed without requiring the other one.

What can I do?

There are no workarounds, and it is recommended that the patches for the vulnerabilities released by CISCO are installed.

The following models and firmware versions are impacted:

·       IP Phone 6800 Series with Multiplatform Firmware version earlier than  11.3.7SR1

·       IP Phone 7800 Series with Multiplatform Firmware version earlier than  11.3.7SR1

·       IP Phone 8800 Series with Multiplatform Firmware version earlier than  11.3.7SR1

Due to the following products having reached the end of life process, there is no patch available:

·       Cisco Unified IP Phone 7900 Series

·       Cisco Unified IP Conference Phone 8831

·       Cisco Unified IP Conference Phone 8831 with Multiplatform Firmware

 Further information on the vulnerabilities be found here:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ip-phone-cmd-inj-KMFynVcP

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity