Critical Zero-Day Vulnerabilities Identified in Cisco’s End-of-Life IP Phones

August 8, 2024

Cisco has issued an alert about several critical remote code execution vulnerabilities in the web-based management interface of its now-discontinued Small Business SPA 300 and SPA 500 series IP phones. The tech giant has not provided any patches for these devices nor offered any mitigation advice. As a result, users of these products are urged to upgrade to newer, actively supported models as soon as feasible.

Cisco has revealed five vulnerabilities, three of which are classified as critical with a CVSS v3.1 score of 9.8, and two that are considered high-severity with a CVSS v3.1 score of 7.5. The critical vulnerabilities are identified as CVE-2024-20450, CVE-2024-20452, and CVE-2024-20454. These buffer overflow vulnerabilities could enable an unauthenticated, remote attacker to execute arbitrary commands on the underlying OS with root privileges by sending a specially designed HTTP request to the target device. As quoted from the Cisco bulletin, 'A successful exploit could allow the attacker to overflow an internal buffer and execute arbitrary commands at the root privilege level.'

The high-severity vulnerabilities are CVE-2024-20451 and CVE-2024-20453. These are due to insufficient checks on HTTP packets, which could allow malicious packets to trigger a denial of service on the affected device. Cisco has noted that all five vulnerabilities affect all software releases running on the SPA 300 and SPA 500 IP phones, regardless of their configuration. These vulnerabilities are independent of each other, indicating that they can be exploited separately.

According to information from Cisco's support portal, the SPA 300 series was last sold to customers in February 2019 and reached its end of support three years later, in February 2022. For the SPA 500 series, Cisco discontinued the hardware on the same date it reached its end of support, on June 1, 2020. It's worth mentioning that Cisco will continue to cover the SPA 500 series until May 31, 2025 for those with service contracts or special warranty terms, but the SPA 300 series has not been covered since February 29, 2024. Neither series will receive a security update, so users are encouraged to transition to newer, supported models, such as the Cisco IP Phone 8841 or a model from the Cisco 6800 series.

Cisco also provides a Technology Migration Program (TMP), which allows customers to exchange eligible products and receive credit toward new equipment. Those unsure about their options are advised to contact Cisco's Technical Assistance Center (TAC).

Latest News

• Critical Cisco Software Vulnerability: Public PoC Exploit Code for CVE-2024-20419 Released
• Windows Update Downgrade Attack Exposes Fully-Updated Systems to Old Vulnerabilities
• CISA Includes Microsoft COM for Windows Vulnerability in Known Exploited Vulnerabilities Catalog
• Critical Security Flaw in Rockwell Automation's ControlLogix 1756 PLCs Threatens Industrial Manufacturing
• Google Patches Kernel Zero-Day Vulnerability in Android, Amidst Targeted Exploits