There is a critical security flaw in a Cisco phone adapter, and the business technology giant says the only step to take is dumping the hardware and migrating to new kit.
In an advisory, Cisco this week warned about the vulnerability in the SPA112 2-Port Adapter that, if exploited, could allow a remote attacker to essentially take control of a compromised device by seizing full privileges and executing arbitrary code.
The flaw, tracked as CVE-2023-20126, is rated as “critical,” with a base score of 9.8 out of 10.
Adding to the problem is the fact that the adapter reached its end of life in June 2020, and while the last date to extend or renew a service contract for the product isn’t until August 2024, Cisco said in the advisory it will not release firmware updates to address the flaw and there are no workarounds.
“Customers are encouraged to migrate to a Cisco ATA 190 Series Analog Telephone Adapter,” the manufacturer wrote in its advisory.
The Register has asked Cisco for more information, and will update the story if a response comes in.
The flaw is in the web-based management interface for the two-port adapter, which is used by organizations to connect analog phones and fax machines (please don’t ask us to explain what those are) to voice-over-IP systems without having to upgrade them.
The vulnerability stems from a missing authentication process in the firmware upgrade function, according to Cisco.
“This vulnerability is due to a