Cisco Small Business IP Phones Vulnerabilities: Attackers Can Execute Arbitrary Commands

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

Cisco has disclosed multiple critical vulnerabilities affecting its Small Business SPA300 and SPA500 Series IP Phones, potentially allowing attackers to execute arbitrary commands with root privileges or cause denial of service conditions.

The flaws, which have been assigned CVE identifiers CVE-2024-20450, CVE-2024-20451, CVE-2024-20452, CVE-2024-20453, and CVE-2024-20454, exist in the web-based management interface of these devices.

The most severe vulnerabilities (CVE-2024-20450, CVE-2024-20452, and CVE-2024-20454) could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system with root privileges.

These flaws stem from improper error checking of incoming HTTP packets, which could result in a buffer overflow. An attacker could exploit this by sending a crafted HTTP request to an affected device.

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access

CVE-2024-20451 and CVE-2024-20453 could also allow an unauthenticated, remote attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition.

The vulnerabilities have been assigned a Critical severity rating, with a CVSS Base Score of 9.8 for the arbitrary command execution flaws and 7.5 for the DoS vulnerabilities.

Cisco has stated it will not release software updates to address these vulnerabilities, as the affected products have entered the end-of-life process. The company advises customers to refer to the end-of-life notices for these products and consider device migration.

It’s important to note that no workarounds are currently available to address these vulnerabilities. Organizations using Cisco Small Business SPA300 and SPA500 Series IP Phones should assess their risk and consider replacing these devices with supported alternatives.

Aidan of BAE Systems Digital Intelligence reported the vulnerabilities to Cisco. Currently, Cisco is unaware of any public announcements or malicious use of these vulnerabilities in the wild.

Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download