Cisco is warning of multiple critical remote code execution zero-days in the web-based management interface of the end-of-life Small Business SPA 300 and SPA 500 series IP phones.
The vendor has not made fixes available for these devices and shared no mitigation tips, so users of those products will have to move to newer and actively supported models as soon as possible.
Vulnerability details
Cisco has disclosed five flaws, three rated critical (CVSS v3.1 score: 9.8) and two categorized as high-severity (CVSS v3.1 score: 7.5).
The critical vulnerabilities are tracked as CVE-2024-20450, CVE-2024-20452, and CVE-2024-20454.
These buffer overflow vulnerabilities allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying OS with root privileges by sending a specially crafted HTTP request to the target device.
“A successful exploit could allow the attacker to overflow an internal buffer and execute arbitrary commands at the root privilege level,” warns Cisco in the bulletin.
The two high-severity flaws are CVE-2024-20451 and CVE-2024-20453. They are caused by inadequate checks on HTTP packets, which allow malicious packets to cause a denial of service on the affected device.
Cisco notes that all five flaws impact all software releases that run on SPA 300 and SPA 500 IP phones regardless of their configuration and are independent of one another, meaning that they can be exploited individually.
End of support
According to Cisco’s support portal, SPA 300 was last sold to customers in February 2019 and reached its end of support three years later, in February 2022.
For SPA 500, the vendor stopped selling the hardware on the same date it reached its end of support, on June 1, 2020.
It should be noted that Cisco is still covering SPA 500 until May 31, 2025 for holders of service contracts or special warranty terms, but SPA 300 isn’t covered since February 29, 2024.
Neither will get a security update, so users are advised to transition to newer, supported models, like the Cisco IP Phone 8841 or a model from the Cisco 6800 series.
Cisco also offers a Technology Migration Program (TMP), which allows customers to trade in eligible products and receive credit toward new equipment.
Those unsure about their options are advised to contact Cisco’s Technical Assistance Center (TAC).
