OS Command Injection in Small Business SPA300 and Cisco Small Business SPA500 Series IP Phones - CVE-2024-20452

 

OS Command Injection in Small Business SPA300 and Cisco Small Business SPA500 Series IP Phones - CVE-2024-20452

Published: August 8, 2024


Vulnerability identifier: #VU95550
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2024-20452
CWE-ID: CWE-78
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Cisco Systems, Inc
Affected software:
Small Business SPA300
Cisco Small Business SPA500 Series IP Phones

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in the web-based management interface. A remote unauthenticated attacker can send specially crafted HTTP packets and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


How to mitigate CVE-2024-20452

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Sources