August 9, 2024 By Pierluigi Paganini
Cisco warns of critical remote code execution zero-day vulnerabilities impacting end-of-life Small Business SPA 300 and SPA 500 series IP phones.
Cisco warns of multiple critical remote code execution zero-day vulnerabilities in end-of-life Small Business SPA 300 and SPA 500 series IP phones.
“Multiple vulnerabilities in the web-based management interface of Cisco Small Business SPA300 Series IP Phones and Cisco Small Business SPA500 Series IP Phones could allow an attacker to execute arbitrary commands on the underlying operating system or cause a denial of service (DoS) condition.” reads the advisory published by the vendor.
The vulnerabilities reside in the web-based management interface of the impacted devices, an attacker can exploit them to execute arbitrary commands on the underlying operating system or trigger a denial of service (DoS) condition.
Three of these vulnerabilities, tracked as CVE-2024-20450, CVE-2024-20452, and CVE-2024-20454 (CVSS score 9.8), are arbitrary command execution issues. An unauthenticated, remote attacker can exploit these flaws to execute arbitrary commands on the underlying operating system with root privileges.
