Cisco has announced the resolution of four high-severity vulnerabilities that could potentially allow threat actors to remotely compromise network switches used by small businesses. The security flaws, identified as CVE-2023-20159, CVE-2023-20160, CVE-2023-20161, and CVE-2023-20189, were found to enable hackers to exploit weaknesses in the web user interface, granting them the ability to execute arbitrary code with root privileges. The severity rating for all four vulnerabilities is 9.8 out of 10.
According to the security advisory issued by Cisco’s Product Security Incident Response Team (PSIRT), an attacker could exploit the vulnerabilities by sending a crafted request through the web-based user interface. Successful exploitation would result in the execution of unauthorized code with elevated privileges on the affected device.
The impacted devices include the 250 Series smart switches, 350 Series managed switches, and 350X Series and 550X stackable managed switches. To address the vulnerabilities, IT teams are strongly advised to update their firmware to version 2.5.9.16. Cisco has stated that no workarounds are available, making the application of the patch the only viable solution for ensuring network security.
Additional devices affected by the vulnerabilities include the Small Business 200 Series smart switches, Small Business 300 Series managed switches, and Small Business 500 Series stackable managed switches. However, as these devices are approaching their end-of-life stage, Cisco will not release a patch specifically for them. Instead, businesses using these endpoints are encouraged to migrate to newer models.
Cisco has assured customers with service contracts that include software updates that they will receive the necessary fixes through their usual update channels. Similarly, businesses with valid Cisco or third-party licenses will have their equipment patched through maintenance upgrades.
While there is currently no evidence of the vulnerabilities being exploited in real-world attacks, Cisco acknowledged the existence of a proof-of-concept. This highlights the urgency for organizations to promptly apply the provided patches, as it is only a matter of time before threat actors attempt to exploit these vulnerabilities.