Cisco Disclosed Vulnerabilities In SPA500 Series IP Phones – Won’t Fix

Heads up, Cisco users! Cisco recently disclosed numerous vulnerabilities in SPA500 series IP phones, confirming that no workarounds exist for the flaws. Also, the firm has no plans to address the issues as these devices have reached their end-of-life. Therefore, users must consider getting rid of the vulnerable devices at the earliest.

Cisco IP Phones Vulnerabilities

In a recent advisory, Cisco described two different vulnerabilities affecting its SPA500 Series IP Phones.

SPA500 are Cisco’s small business IP phones offering affordable communications with numerous supportive features such as wideband audio, Bluetooth and WiFi support, etc. Their common usage in various big and small firms indicates the extent of impact of any exploits involving vulnerabilities in these devices.

According to Cisco, the first of these vulnerabilities include a cross-site scripting vulnerability (CVE-2023-20181). The vulnerability existed “due to insufficient validation of user-supplied input by the web-based management interface of the affected software.” Exploiting the flaw could allow an unauthenticated, remote adversary to execute arbitrary codes or access browser-based data. Whereas achieving this goal required the attacker to trick the victim user into clicking a maliciously crafted link.

The second vulnerability, CVE-2023-20218, includes an HTML injection due to insufficient user-input validation by the web-based management interface. A remote, unauthenticated adversary could easily exploit this flaw by tricking the victim into clicking a maliciously crafted link. Once done, the attacker could perform client-side attacks, such as injecting malicious redirections from the target web page.

The firm has acknowledged the researchers Ahmed Hassan and Josef Hassan of Titanium Cyber Security Solutions for discovering and reporting these vulnerabilities.

No Plans To Patch Flaws Due To Devices’ EOL

As explained in the advisory, both vulnerabilities received medium severity ratings and a CVSS score of 6.1. Also, the firm detected no active exploitation attempts for the flaws.

However, these flaws are important for the users because the firm has confirmed not to address these issues. That’s because the SPA500 IP Phones have reached their end-of-life. Consequently, no workarounds exist to mitigate the issues. Therefore, the only way for users to protect their networks from potential threats is to migrate to other devices.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients