Cisco has disclosed a high-severity vulnerability affecting the latest generation of its IP phones and exposing them to remote code execution and Denial of Service (DoS) attacks. The company warned on Thursday that its Product Security Incident Response Team (PSIRT) is “aware that proof-of-concept exploit code is available” and that the “vulnerability has been publicly discussed.” However, Cisco’s PSIRT added that it is not yet aware of any attempts to exploit this flaw in attacks. Cisco did not release security updates to address this bug before disclosure and says that a patch will be available in January 2023. The security flaw is tracked as CVE-2022-20968 and is caused by insufficient input validation of received Cisco Discovery Protocol packets. When unauthenticated, adjacent attackers can exploit this issue to trigger a stack overflow. Affected devices include Cisco IP phones running 7800 and 8800 Series firmware version 14.2 and earlier. The vulnerability was reported to Cisco by Qian Chen of the Codesafe Team of Legendsec at QI-ANXIN Group.
Watch the Video
How does Binary Defense help protect your organization? With best in breed cybersecurity tactics, techniques, and services, we make sure that your environment is secure against the most advanced attacks.