Skip to main content

Cisco Releases Critical Security Updates for Cisco IP Phone

Cisco addresses one Critical command injection vulnerability and one High denial-of-service vulnerability for Cisco IP Phone

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Cisco addresses one Critical command injection vulnerability and one High denial-of-service vulnerability for Cisco IP Phone


Affected platforms

The following platforms are known to be affected:

The following platforms are also known to be affected:

  • Unified IP Phone 7900 Series (End-of-life)
  • Unified IP Conference Phone 8831 (End-of-life)
  • Unified IP Conference Phone 8831 with Multiplatform Firmware (End-of-life)

Threat details

End-of-life products will not receive security updates

Cisco Unified IP Phone 7900 Series and Cisco Unified IP Conference Phone 8831 have entered the end-of-life process. For these products, Cisco has not released and will not release software updates to address the vulnerabilities that are described in CVE-2023-20079.


Introduction

Cisco has released a security advisory that addresses one Critical vulnerability and one High impact vulnerability. The Critical vulnerability could allow an unauthenticated, remote attacker to inject arbitrary commands that are executed with root privileges. The High vulnerability could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service condition.

Four Medium advisories also released

In addition to the Critical security advisory, Cisco has released four Medium advisories impacting Webex App, Finesse, Unified Intelligence Center, and Prime Infrastructure. The vulnerabilities concern cross-site scripting, denial-of-service, and server-side request forgery.


Remediation advice

Affected organisations are encouraged to review the following Cisco Security Advisories for more information.


Remediation steps

Type Step
Patch

Critical Security Advisory
Cisco IP Phone 6800, 7800, 7900, and 8800 Series Web UI Vulnerabilities | cisco-sa-ip-phone-cmd-inj-KMFynVcP


https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ip-phone-cmd-inj-KMFynVcP
Patch

Cisco Webex App for Web Cross-Site Scripting Vulnerability | cisco-sa-webex-xss-Yn8HHsMJ


https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-xss-Yn8HHsMJ
Patch

Cisco Finesse Reverse Proxy VPN-less Access to Finesse Desktop Denial of Service Vulnerability | cisco-sa-finesse-proxy-dos-vY5dQhrV


https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-finesse-proxy-dos-vY5dQhrV
Patch

Cisco Unified Intelligence Center Vulnerabilities | cisco-sa-cuic-infodisc-ssrf-84ZBmwVk


https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cuic-infodisc-ssrf-84ZBmwVk
Patch

Cisco Prime Infrastructure and Evolved Programmable Network Manager Stored Cross-Site Scripting Vulnerability | cisco-sa-cisco-pi-epnm-xss-mZShH2J


https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cisco-pi-epnm-xss-mZShH2J

Last edited: 2 March 2023 2:36 pm