Home Latest Cyber Security News | Network Security Hacking Cisco Disclosed Vulnerabilities In SPA500 Series IP Phones – Won’t Fix
Latest Cyber Security News | Network Security HackingNewsVulnerabilities

Cisco Disclosed Vulnerabilities In SPA500 Series IP Phones – Won’t Fix

by Abeerah Hashim
written by Abeerah Hashim
Cisco IP Phones vulnerabilities

Heads up, Cisco users! Cisco recently disclosed numerous vulnerabilities in SPA500 series IP phones, confirming that no workarounds exist for the flaws. Also, the firm has no plans to address the issues as these devices have reached their end-of-life. Therefore, users must consider getting rid of the vulnerable devices at the earliest.

Cisco IP Phones Vulnerabilities

In a recent advisory, Cisco described two different vulnerabilities affecting its SPA500 Series IP Phones.

SPA500 are Cisco’s small business IP phones offering affordable communications with numerous supportive features such as wideband audio, Bluetooth and WiFi support, etc. Their common usage in various big and small firms indicates the extent of impact of any exploits involving vulnerabilities in these devices.

According to Cisco, the first of these vulnerabilities include a cross-site scripting vulnerability (CVE-2023-20181). The vulnerability existed “due to insufficient validation of user-supplied input by the web-based management interface of the affected software.” Exploiting the flaw could allow an unauthenticated, remote adversary to execute arbitrary codes or access browser-based data. Whereas achieving this goal required the attacker to trick the victim user into clicking a maliciously crafted link.

The second vulnerability, CVE-2023-20218, includes an HTML injection due to insufficient user-input validation by the web-based management interface. A remote, unauthenticated adversary could easily exploit this flaw by tricking the victim into clicking a maliciously crafted link. Once done, the attacker could perform client-side attacks, such as injecting malicious redirections from the target web page.

The firm has acknowledged the researchers Ahmed Hassan and Josef Hassan of Titanium Cyber Security Solutions for discovering and reporting these vulnerabilities.

No Plans To Patch Flaws Due To Devices’ EOL

As explained in the advisory, both vulnerabilities received medium severity ratings and a CVSS score of 6.1. Also, the firm detected no active exploitation attempts for the flaws.

However, these flaws are important for the users because the firm has confirmed not to address these issues. That’s because the SPA500 IP Phones have reached their end-of-life. Consequently, no workarounds exist to mitigate the issues. Therefore, the only way for users to protect their networks from potential threats is to migrate to other devices.

Let us know your thoughts in the comments.

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

You may also like

Multiple Vulnerabilities Found In Forminator WordPress Plugin

Palo Alto Networks Patched A Pan-OS Vulnerability Under...

Apple Removed Numerous Apps From China App Store

Xiid SealedTunnel: Unfazed by Yet Another Critical Firewall...

Personal Data Exposed in Massive Global Hack: Understanding...

Guardz Welcomes SentinelOne as Strategic Partner and Investor...

Invision Community Vulnerabilities Risk E-Commerce Websites

Microsoft April Patch Tuesday Fixes Dozens of RCE...

Match Systems publishes report on the consequences of...

Cypago Announces New Automation Support for AI Security...