Unauthorized Remote Execution of Arbitrary Commands on Cisco Small Business IP Phones
CVE-2024-20450

9.8CRITICAL

Key Information:

Vendor
Cisco
Status
Cisco Small Business Ip Phones
Vendor
CVE Published:
7 August 2024

Summary

Vulnerabilities exist in the web-based management interface of Cisco Small Business SPA300 Series IP Phones and Cisco Small Business SPA500 Series IP Phones that could permit unauthenticated remote attackers to execute arbitrary commands on the device's operating system with root privileges. These issues arise from inadequate error checking of incoming HTTP packets, which can lead to buffer overflow conditions. By sending specially crafted HTTP requests to affected devices, attackers may gain the ability to overflow an internal buffer, ultimately enabling them to execute commands with elevated privileges, potentially compromising the integrity and security of the devices.

Affected Version(s)

Cisco Small Business IP Phones 7.6.0

Cisco Small Business IP Phones 7.6.2

Cisco Small Business IP Phones 7.6.2SR3

References

https://sec.cloudapps.cisco.com/security/center/content/C...

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.