Cisco on Wednesday rolled out safety updates to deal with a crucial flaw impacting its IP Phone 6800, 7800, 7900, and 8800 Series merchandise.
The vulnerability, tracked as CVE-2023-20078, is rated 9.8 out of 10 on the CVSS scoring system and is described as a command injection bug within the web-based administration interface arising attributable to inadequate validation of user-supplied enter.
Successful exploitation of the bug may enable an unauthenticated, distant attacker to inject arbitrary instructions which can be executed with the best privileges on the underlying working system.
“An attacker may exploit this vulnerability by sending a crafted request to the web-based administration interface,” Cisco mentioned in an alert revealed on March 1, 2023.
Also patched by the corporate is a high-severity denial-of-service (DoS) vulnerability affecting the identical set of gadgets, in addition to the Cisco Unified IP Conference Phone 8831 and Unified IP Phone 7900 Series.
CVE-2023-20079 (CVSS rating: 7.5), additionally a results of inadequate validation of user-supplied enter within the web-based administration interface, might be abused by an adversary to trigger a DoS situation.
While Cisco has launched Cisco Multiplatform Firmware model 11.3.7SR1 to resolve CVE-2023-20078, the corporate mentioned it doesn’t plan to repair CVE-2023-20079, as each the Unified IP Conference Phone fashions have entered end-of-life (EoL).
The firm mentioned it is not conscious of any malicious exploitation makes an attempt focusing on the flaw. It additionally mentioned the failings have been found throughout inside safety testing.
The advisory comes as Aruba Networks, a subsidiary of Hewlett Packard Enterprise, launched an replace to ArubaOS to remediate a number of unauthenticated command injection and stack-based buffer overflow flaws (from CVE-2023-22747 via CVE-2023-22752, CVSS scores: 9.8) that might lead to code execution.