Cisco Patches High-Severity Vulnerabilities in Analog Telephone Adapters

Cisco on Wednesday announced patches for eight vulnerabilities in the firmware of ATA 190 series analog telephone adapters, including two high-severity flaws leading to configuration changes and cross-site request forgery (CSRF) attacks.

Impacting the web-based management interface of the firmware and tracked as CVE-2024-20458, the first bug exists because specific HTTP endpoints lack authentication, allowing remote, unauthenticated attackers to browse to a specific URL and view or delete configurations, or modify the firmware.

The second issue, tracked as CVE-2024-20421, allows remote, unauthenticated attackers to conduct CSRF attacks and perform arbitrary actions on vulnerable devices. An attacker can exploit the security defect by convincing a user to click on a crafted link.

Cisco also patched a medium-severity vulnerability (CVE-2024-20459) that could allow remote, authenticated attackers to execute arbitrary commands with root privileges.

The remaining five security defects, all medium severity, could be exploited to conduct cross-site scripting (XSS) attacks, execute arbitrary ...