Critical RCE Vulnerability in Multiple Cisco IP Phones: CVE-2023-20078

Share :

On Wednesday, 1 March 2023, Cisco published an advisory of a critical severity vulnerability impacting 6800, 7800, and 8800 series IP phones. The vulnerability allows for unauthenticated execution of arbitrary code. 

The vulnerability was responsibly disclosed to Cisco by a security researcher, and security patches are available to remediate the vulnerability. 

We have not observed active exploitation of this vulnerability, nor has a public proof of concept (PoC) exploit been published for it at this time. However, threat actors have historically targeted Cisco IP Phones with other remote code execution vulnerabilities such as CVE-2020-3161, as published on CISA’s known Exploited Vulnerabilities Catalog. Additionally, Arctic Wolf Labs has published research on ransomware groups such as Lorenz, demonstrating how threat actors can take advantage of vulnerabilities in VoIP appliances for initial access. 

We strongly recommend applying the relevant security patches to impacted devices to remediate the vulnerabilities and prevent potential exploitation. 

Recommendations for CVE-2023-20078

Recommendation #1: Install Vendor Supplied Patches for Affected Products 

We strongly recommend applying the latest relevant security patches to the impacted products as no workarounds are available. Security patches can be found via Cisco’s Support and Downloads page here: https://www.cisco.com/c/en/us/support/index.html  

Note: Arctic Wolf recommends change management best practices for deploying security patches, including testing changes in a testing environment before deploying to production to avoid operational impact. 

Cisco Product  First Fixed Release 
Cisco 6800 series IP phones  Cisco Multiplatform Firmware 11.3.7SR1 
Cisco 7800 series IP phones  Cisco Multiplatform Firmware 11.3.7SR1 
Cisco 8800 series IP phones  Cisco Multiplatform Firmware 11.3.7SR1 

 

Recommendation #2: Do not expose management interfaces to the public internet 

The management interface described in this bulletin should never be exposed publicly to the internet. We recommend that organisations review their firewall configurations and ensure that no such devices are exposed publicly. 

References 

James Liolios

James Liolios

James Liolios is a Senior Threat Intelligence Researcher at Arctic Wolf, where he keeps a watchful eye on the latest threats and threat actors to understand the potential impact to Arctic Wolf customers. He has a background of 9 years' experience in many areas of cybersecurity, holds a bachelor's degree in Information Security, and is also CISSP certified.
Share :
Table of Contents
Categories