On March 1, 2023, Cisco released security updates for its IP Phone series 6800, 7800, 7900, and 8800 to address a critical command injection vulnerability (CVE-2023-20078) rated 9.8 on the CVSS scoring system.
The flaw is caused by a web-based management interface, which lacks proper user-supplied input validation, allowing an unauthenticated, remote attacker to inject arbitrary commands with the highest privileges.
The company also patched a high-severity DoS vulnerability (CVE-2023-20079) affecting the same devices and the Cisco Unified IP Conference Phone 8831 and Unified IP Phone 7900 series.
Cisco released the Cisco Multiplatform Firmware version 11.3.7SR1 to resolve CVE-2023-20078 but will not fix CVE-2023-20079, as both the Unified IP Conference Phone models are in their end-of-life phase.
Cisco said there have been no known malicious exploitation attempts targeting the vulnerability and the flaws were discovered during internal security testing.
The update came as Aruba Networks released an ArubaOS update to remediate several unauthenticated command injection and stack-based buffer overflow flaws that could result in code execution.
