Five zero-days impacts EoL Cisco Small Business IP Phones. Replace them with newer models asap!

Cisco warns of critical remote code execution zero-day vulnerabilities impacting end-of-life Small Business SPA 300 and SPA 500 series IP phones.

Cisco warns of multiple critical remote code execution zero-day vulnerabilities in end-of-life Small Business SPA 300 and SPA 500 series IP phones.

“Multiple vulnerabilities in the web-based management interface of Cisco Small Business SPA300 Series IP Phones and Cisco Small Business SPA500 Series IP Phones could allow an attacker to execute arbitrary commands on the underlying operating system or cause a denial of service (DoS) condition.” reads the advisory published by the vendor.

The vulnerabilities reside in the web-based management interface of the impacted devices, an attacker can exploit them to execute arbitrary commands on the underlying operating system or trigger a denial of service (DoS) condition. 

Three of these vulnerabilities, tracked as CVE-2024-20450, CVE-2024-20452, and CVE-2024-20454 (CVSS score 9.8), are arbitrary command execution issues. An unauthenticated, remote attacker can exploit these flaws to execute arbitrary commands on the underlying operating system with root privileges.

“These vulnerabilities exist because incoming HTTP packets are not properly checked for errors, which could result in a buffer overflow. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to overflow an internal buffer and execute arbitrary commands at the root privilege level.” continues the advisory.

The remaining two vulnerabilities, tracked as CVE-2024-20451 and CVE-2024-20453 (CVSS score 7.5), can be exploited by an unauthenticated, remote attacker to cause an affected device to reload unexpectedly triggering a DoS condition.

“These vulnerabilities exist because HTTP packets are not properly checked for errors. An attacker could exploit this vulnerability by sending a crafted HTTP packet to the remote interface of an affected device. A successful exploit could allow the attacker to cause a DoS condition on the device.” states the advisory.

Aidan of BAE Systems Digital Intelligence discovered these vulnerabilities.

Cisco said that its Product Security Incident Response Team (PSIRT) is not aware of attacks in the wild exploiting these flaws.

The IT giant will not address the vulnerabilities and hasn’t provided mitigations. Customers using the impacted IP phones have to replace them with newer models as soon as possible.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Small Business IP Phones)