cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
234
Views
0
Helpful
1
Replies

Impact of CSCwe50762 RCE vulnerability on SPA122 (ATA with Router)

carllitt
Level 1
Level 1

The Security Advisory and CVE details state that only the SPA112 model is affected.  The SPA122 (ATA with Router) uses the same firmware file as the SPA112 and has the same LAN-facing web interface as the SPA112 with the addition of a WAN-facing web interface as well.  Based on this it's reasonable to assume the SPA122 could also be vulnerable but it's not included in the advisory.  However omission does not constitute confirmation that the SPA122 is somehow different enough to be excluded from the vulnerability risk.

Can we get confirmation that the SPA122 is  *not* affected by this vulnerability?

1 Reply 1

Leo Laohoo
Hall of Fame
Hall of Fame

You are f*cked either way.  Let me explain further: 

SPA112/122 is, conveniently, already past end-of-support.  This means Cisco has no legal obligation to release any software fixes.  In English, you're f*cked. 

All the software currently still allowed to be downloaded come with a time bomb and it is an expire QuoVadis Root CA Certifificate.  Cisco will not release any software fix for this.  In English, these software will brick the ATAs.  Guarantee.   

The only option is to replace the Cisco-branded ATA for a non-Cisco branded ATA.