Input validation error in Cisco Systems, Inc products - CVE-2020-3161
Published: April 16, 2020 / Updated: February 20, 2022
Vulnerability identifier: #VU26976
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber
CVE-ID: CVE-2020-3161
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
The vulnerability is being exploited in the wild
Vendor: Cisco Systems, Inc
Affected software:
Cisco IP Phone 7811
Cisco IP Phone 7821
Cisco IP Phone 7841
Cisco IP Phone 7861
Cisco IP Phone 8811
Cisco IP Phone 8841
Cisco Wireless IP Phone 8845
Cisco Wireless IP Phone 8851
Cisco Unified IP Conference Phone 8831
Cisco Wireless IP Phone 8821
Cisco Wireless IP Phone 8821-EX
Cisco IP Phone 8861
Cisco IP Phone 8865
Cisco IP Phone 7811
Cisco IP Phone 7821
Cisco IP Phone 7841
Cisco IP Phone 7861
Cisco IP Phone 8811
Cisco IP Phone 8841
Cisco Wireless IP Phone 8845
Cisco Wireless IP Phone 8851
Cisco Unified IP Conference Phone 8831
Cisco Wireless IP Phone 8821
Cisco Wireless IP Phone 8821-EX
Cisco IP Phone 8861
Cisco IP Phone 8865
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insufficient validation of user-supplied input of HTTP requests in the web server for Cisco IP Phones. A remote attacker can send a specially crafted HTTP request and execute arbitrary code with root privileges or cause a reload of an affected IP phone, resulting in a (DoS) condition.
How to mitigate CVE-2020-3161
Install updates from vendor's website.