Critical Cisco Small Business IP Phone Flaws Exposes Users to Remote Attacks

Cisco has issued a security advisory warning users of its Small Business SPA300 and SPA500 Series IP Phones about multiple critical vulnerabilities that could allow remote attackers to execute arbitrary commands or cause denial of service (DoS) conditions.

These vulnerabilities affect all software releases for the mentioned series, and no software updates or workarounds are currently available.

Vulnerability Details

The vulnerabilities, CVE-2024-20450, CVE-2024-20452, and CVE-2024-20454, allow unauthenticated remote attackers to execute arbitrary commands on the operating system with root privileges.

This is due to improper error checking of incoming HTTP packets, leading to a potential buffer overflow.

CVE-2024-20451 and CVE-2024-20453 could also enable attackers to cause a DoS condition, forcing affected devices to reload unexpectedly.

These vulnerabilities are rated with a Security Impact Rating (SIR) of High. The command execution vulnerabilities have a CVSS Base Score of 9.8, indicating critical severity, while the DoS vulnerabilities have a CVSS Base Score of 7.5.

How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide

Vulnerability ID	Description	CVSS Base Score
CVE-2024-20450	IP Phones Web UI Arbitrary Command Execution Vulnerability	9.8
CVE-2024-20452	IP Phones Web UI Arbitrary Command Execution Vulnerability	9.8
CVE-2024-20454	IP Phones Web UI Arbitrary Command Execution Vulnerability	9.8
CVE-2024-20451	IP Phones Web UI DoS Vulnerability	7.5
CVE-2024-20453	IP Phones Web UI DoS Vulnerability	7.5

Cisco has confirmed that no software updates will be released to address these vulnerabilities, as the affected products have entered the end-of-life process.

Customers are advised to consult Cisco’s end-of-life notices and consider device migration to ensure continued security and support.

Cisco’s advisory emphasizes regularly checking security advisories to determine exposure and explore upgrade solutions.

While there are no workarounds available, Cisco recommends that users of the affected IP phone series consider migrating to newer, actively supported models.

Customers should ensure that any new devices meet their network needs and are compatible with existing hardware and software configurations.

Users can contact the Cisco Technical Assistance Center (TAC) or their maintenance providers for further guidance.

Cisco has acknowledged Aidan of BAE Systems Digital Intelligence for reporting these vulnerabilities. As of now, there have been no public announcements or reports of malicious exploitation of these vulnerabilities.

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access