Cisco has released security updates to fix multiple vulnerabilities affecting certain Cisco Small Business Series Switches. Out of the 9 vulnerabilities mentioned in the official advisory, 4 of them are classified as Critical with a CVSS score of 9.8 (CVE-2023-20159, CVE-2023-20160, CVE-2023-20161, and CVE-2023-20189).
The described vulnerabilities have a proof-of-concept accessible, however, the Cisco PSIRT Team is not aware of any malicious usage of them as of writing.
A. List of Affected Cisco Products
- 250 Series Smart Switches
- 350 Series Managed Switches
- 350X Series Stackable Managed Switches
- 550X Series Stackable Managed Switches
- Business 250 Series Smart Switches
- Business 350 Series Managed Switches
- Small Business 200 Series Smart Switches
- Small Business 300 Series Managed Switches
- Small Business 500 Series Stackable Managed Switches
B. Actions to be Taken
CERT-PH recommends the following actions be taken:
- Kindly review and apply the necessary updates to mitigate future threats.
- For additional information, kindly refer to the official report