Cisco says it has fixed four high-severity vulnerabilities which could have allowed threat actors to remotely hijack network switches (opens in new tab) for small businesses.
In a security advisory published by the company’s Product Security Incident Response Team (PSIRT), hackers could abuse flaws in the web user interface to run arbitrary code with root privileges. The flaws in question are tracked as CVE-2023-20159, CVE-2023-20160, CVE-2023-20161, and CVE-2023-20189, all with a 9.8 severity rating.
“An attacker could exploit this vulnerability by sending a crafted request through the web-based user interface,” Cisco stated. “A successful exploit could allow the attacker to execute arbitrary code with root privileges on an affected device.”
Multiple devices affected
The list of vulnerable devices includes the 250 Series smart switches, 350 Series managed switches, and 350X Series and 550X stackable managed switches. To fix the flaws, IT teams are advised to bring their firmware up to version 2.5.9.16. There is no workaround for the flaws, Cisco said, so the only way to truly stay safe is to apply the patch.
Small Business 200 Series smart switches, Small Business 300 Series managed switches, and Small Business 500 Series stackable managed switches are also said to be affected by the flaws, but as these are reaching end-of-life, Cisco won’t be releasing a patch. Businesses using these endpoints are advised to migrate to a newer model.
Businesses with service contracts that include software updates will receive the fixes through the usual update channels, Cisco said. Businesses with valid Cisco or third-party licenses will have their gear patched through maintenance upgrades, it was added.
While the company claims there’s no evidence of these flaws being used in the wild, it did say that a proof-of-concept exists. As such, it’s just a matter of time before hackers start exploiting the vulnerabilities.
The flaws were discovered by an “external researcher”, Cisco concluded.
Via: The Register (opens in new tab)
English
Arabic
Belarusian
Bengali
Bosnian
Bulgarian
Chinese (Simplified)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Gujarati
Hausa
Hebrew
Hindi
Hmong
Hungarian
Igbo
Indonesian
Italian
Japanese
Javanese
Kazakh
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latvian
Lithuanian
Macedonian
Malagasy
Norwegian
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Ukrainian
Vietnamese
Yoruba