Cisco SPA112 2-Port Phone Adapters have been reported to be vulnerable to arbitrary code execution via a malicious firmware upgrade. Cisco has classified this vulnerability as Critical, with a CVSS Score as 9.8.
CVE-2023-20126 – Port Phone Adapters RCE Flaw
A remote attacker can exploit the vulnerability by upgrading a device to a crafted firmware version, which would allow them to execute arbitrary code with full privileges. As the SPA112 2-Port phone adapters are no longer supported (they reached EoL on June 1, 2020), Cisco does not plan to release firmware updates to address the vulnerability.
Even though the flaw is serious, the company that makes networking equipment said it has no plans to fix it because the devices have reached the end of life (EoL) as of June 1, 2020.
To resolve this issue, Cisco requested their customers to upgrade to Cisco ATA 190 Series Analog Telephone Adapter.
- All firmware releases of Cisco SPA112 2-Port Phone Adapters are affected by this issue.
- Cisco released their security advisory for this issue on 3rd May 2023 to the public to alert their customers.