Unauthorized Access to Sensitive Information in Cisco IP Phone Firmware
CVE-2024-20378

7.5HIGH

Key Information:

Vendor: Cisco
Status: Cisco Ip Phones With Multiplatform Firmware; Cisco Phoneos
Vendor: CVE Published:; 1 May 2024

Summary

A security flaw exists in the web-based management interface of Cisco IP Phone firmware that could enable remote attackers to gain unauthorized access to sensitive information stored on affected devices. The issue stems from inadequate authentication controls for specific endpoints, allowing attackers to connect without prior credentials. Once exploited, this vulnerability permits attackers to capture user credentials and intercept traffic, including VoIP calls, leading to potential replay attacks and data breaches. Organizations utilizing Cisco IP Phones should prioritize applying security patches and implementing additional security measures to mitigate risks associated with this vulnerability.

Affected Version(s)

Cisco IP Phones with Multiplatform Firmware 11.3.1 MSR2-6

Cisco IP Phones with Multiplatform Firmware 11.3.1 MSR3-3

Cisco IP Phones with Multiplatform Firmware 11.3.2

References

https://sec.cloudapps.cisco.com/security/center/content/C...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 1, 2024
Vulnerability Reserved
Nov 8, 2023