Home / Threat Intelligence bulletins / Critical Cisco vulnerability allows remote code execution capabilities

Target Industry

Indiscriminate, opportunistic targeting.


Cisco has disclosed a critical vulnerability, tracked as CVE-2023-20126 (CVSSv3 Score: 9.8 – Critical), in the management interface of Cisco SPA112 2-Port Phone Adapters, which could lead to arbitrary code execution on vulnerable devices. The security flaw is caused by a missing authentication process within the firmware upgrade function.

At the time of writing, there have been no reports of the vulnerability being actively exploited in the wild. However, as with any security flaw, it is possible that this could change at any time.


The emergence of CVE-2023-20126 has been a result of a missing authentication process within the firmware upgrade function. A threat actor could exploit this vulnerability by upgrading an affected device to a crafted version of firmware. A successful exploit could allow the threat actor to execute arbitrary code on the affected device with full privileges.

Affected Products

– Cisco SPA112 2-Port Phone Adapters

Containment, Mitigations & Remediations

Cisco SPA112 has reached the end of life (EoL) and as such is no longer supported by Cisco and will not receive a security update. The purpose of the Cisco advisory has been to raise awareness of the necessity to replace the impacted phone adapters or implement additional security measures to protect vulnerable devices from potential exploitation.

It is recommended that Cisco SPA112 users replace the vulnerable devices with the Cisco ATA 190 Series Analog Telephone Adapter, the end-of-life date not arriving until 31st March 2024.

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available currently.

Threat Landscape

Cisco occupies a significant proportion of the enterprise network infrastructure market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, Cisco products have become a prime target. Due to the fact that Cisco products have become an integral aspect of business operations, threat actors will continue to exploit vulnerabilities contained within the associated products in an attempt to extract the sensitive data contained therein.

The associated phone adapters are prevalent within industry sectors for incorporating analogue phones into VoIP networks. Regardless of the widespread usage, it is unlikely that the devices are exposed to the internet, meaning that exploitation would most commonly occur from within the local network. However, it should be noted that if threat actors gain access to these devices, it could provide an opportunity for lateral movement.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies


TA0002 – Execution

Further Information

Cisco Advisory

Intelligence Terminology Yardstick