Cisco Systems is issuing software updates to tackle a high-risk vulnerability in several VoIP phone models, the company said in an advisory.
The bug, which was found by Cisco during internal security testing, "could allow an authenticated, remote attacker to perform a command injection and execute commands with the privileges of the web server," Cisco said in the advisory, essentially saying the phones leave an opening for attackers to make and listen to calls and steal data.
The updates, known as 11.2(1) are expected to be issued next month, and will be available for download from Cisco's Software Center, the company said in the advisory. Cisco's Product Security Incident Response Team [PSIRT] is not aware of any incidents in which the vulnerability has been exploited, the company said.
The bug potentially affects Cisco 6800, 7800 and 8800 series IP phone with multiplatform firmware.
The phones are relatively new, and targeted at UCaaS providers, said Ben Johnson, CEO of Liberty Technology, a Griffin, Ga., solution provider that works with Cisco. "Frequently those providers don't specify whether or not their handsets should live behind firewalls or be directly on the WAN," he said.
"This is only affecting a very small percentage of Cisco handsets, and Cisco will fix it quickly," Johnson said. "I'm happy, as usual, to see transparency and [Cisco] taking ownership of issues instead of sweeping them under rugs like a lot of other vendors."