On Wednesday, 1 March 2023, Cisco published an advisory of a critical severity vulnerability impacting 6800, 7800, and 8800 series IP phones. The vulnerability allows for unauthenticated execution of arbitrary code.
The vulnerability was responsibly disclosed to Cisco by a security researcher, and security patches are available to remediate the vulnerability.
We have not observed active exploitation of this vulnerability, nor has a public proof of concept (PoC) exploit been published for it at this time. However, threat actors have historically targeted Cisco IP Phones with other remote code execution vulnerabilities such as CVE-2020-3161, as published on CISA’s known Exploited Vulnerabilities Catalog. Additionally, Arctic Wolf Labs has published research on ransomware groups such as Lorenz, demonstrating how threat actors can take advantage of vulnerabilities in VoIP appliances for initial access.
We strongly recommend applying the relevant security patches to impacted devices to remediate the vulnerabilities and prevent potential exploitation.
Recommendations for CVE-2023-20078
Recommendation #1: Install Vendor Supplied Patches for Affected Products
We strongly recommend applying the latest relevant security patches to the impacted products as no workarounds are available. Security patches can be found via Cisco’s Support and Downloads page here: https://www.cisco.com/c/en/us/support/index.html
Note: Arctic Wolf recommends change management best practices for deploying security patches, including testing changes in a testing environment before deploying to production to avoid operational impact.
Cisco Product | First Fixed Release |
Cisco 6800 series IP phones | Cisco Multiplatform Firmware 11.3.7SR1 |
Cisco 7800 series IP phones | Cisco Multiplatform Firmware 11.3.7SR1 |
Cisco 8800 series IP phones | Cisco Multiplatform Firmware 11.3.7SR1 |
Recommendation #2: Do not expose management interfaces to the public internet
The management interface described in this bulletin should never be exposed publicly to the internet. We recommend that organisations review their firewall configurations and ensure that no such devices are exposed publicly.