Cisco joined the April patch bonanza issuing security advisories for eight products, two of which the company considers critical.
The Cisco IP Phones Web Server and Cisco UCS Director and Cisco UCS Director Express for Big Data advisories contain a total of 10 vulnerabilities that together are considered critical by Cisco.
A specific set of Cisco IP Phones Web Server has a single bug, CVE-2020-3161, that if exploited can lead to a denial of service condition or remote code execution. The vulnerability is due to a lack of proper input validation of HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web server of a targeted device, Cisco said.
A patch is available and for those who wish to mitigate without patching Cisco recommends disconnecting the phones from the internet.
The advisory for Cisco UCS Director and Cisco UCS Director Express for Big Data contain the remaining nine critical CVEs. The most serious is CVE-2020-3243 which is due to insufficient access control validation. An attacker could exploit this vulnerability by sending a crafted request to the REST API. A successful exploit could allow the attacker to interact with the REST API with administrative privileges, Cisco said.
Software updates have been made available.
The remaining six advisories are for Cisco Wireless LAN Controller, Cisco Webex Network Recording Player and Cisco Webex Player, Cisco Mobility Express Software, Cisco IoT Field Network Director, Cisco Unified Communications Manager and Cisco Aironet Series Access Points.