#VU19286 Improper Neutralization of Special Elements used in a Command ('Command Injection') in Cisco Small Business SPA500 Series IP Phones - CVE-2019-1923
Vulnerability identifier: #VU19286
Vulnerability risk: Low
CVSSv4.0: 4 [CVSS:4.0/AV:P/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID:
CWE-ID:
CWE-77
Exploitation vector: Local
Exploit availability: No
Vulnerable software:
Cisco Small Business SPA500 Series IP Phones
Hardware solutions /
Office equipment, IP-phones, print servers
Vendor: Cisco Systems, Inc
Description
Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versions
Cisco Small Business SPA500 Series IP Phones: 7.6.2SR5
External links
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190717-spa500-command
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
