Cisco IP Phones Exposed: Vulnerabilities Allow Hackers to Disrupt, Spy, and Even Make Calls

Cisco has issued a security advisory highlighting multiple vulnerabilities in the firmware of several IP Phone models that could allow unauthenticated, remote attackers to engage in detrimental activities ranging from denial of service (DoS) to unauthorized access and sensitive information exposure. These security gaps affect a range of widely used Cisco IP Phones and pose significant threats to business communications security.

Detailed Vulnerabilities

1. Cisco IP Phone DoS Vulnerability (CVE-2024-20376, CVSS 7.5): A flaw in the web-based management interface could allow attackers to send specially crafted requests, leading to affected devices reloading and causing a DoS condition. This vulnerability stems from insufficient validation of user-supplied input, posing a risk to the availability of communication services.
2. Cisco IP Phone Information Disclosure Vulnerability (CVE-2024-20378, CVSS 7.5): This security weakness allows attackers to gain unauthorized access to sensitive information through unauthenticated endpoints of the web-based management interface. Successful exploitation could enable attackers to record user credentials and VoIP call data, compromising confidentiality and integrity.
3. Cisco IP Phone Unauthorized Access Vulnerability (CVE-2024-20357, CVSS 5.3): Located in the XML service of the firmware, this vulnerability permits remote attackers to send crafted XML requests that initiate phone calls or play sounds on affected devices. It is important to note that the XML service is disabled by default, which may limit the exposure of some systems.

Who’s Affected?

Organizations using the following Cisco IP Phone models are vulnerable:

• IP Phone 6800 Series with Multiplatform Firmware
• IP Phone 7800 Series with Multiplatform Firmware
• IP Phone 8800 Series with Multiplatform Firmware
• Video Phone 8875 in Multiplatform Mode

Security Updates and Recommendations

In response to these vulnerabilities, Cisco has released software updates that directly address these issues. For the affected Multiplatform Firmware, the first fixed release is version 12.0.4SR1 for the 6800, 7800, and 8800 series. The Video Phone 8875 should be updated to Cisco PhoneOS 2.3.1.0101 or later to mitigate the vulnerabilities.

It is crucial to note that there are no workarounds available that address these vulnerabilities, making it essential for affected organizations to apply the necessary firmware updates promptly.

While there are currently no public announcements or known malicious exploitations of these vulnerabilities, the potential impact suggests that they could become attractive targets for cybercriminals. Organizations are encouraged to upgrade their systems even in the absence of active threats to ensure they remain protected against future exploitations.