Security News > 2020 > April > Cisco IP Phone Harbors Critical RCE Flaw
Cisco is warning of a critical flaw in the web server of its IP phones.
Cisco issued patches in a Wednesday advisory for the flaw, which affects various versions of its Cisco IP phones for small- to medium-sized businesses.
According to Jacob Baines with Tenable, who discovered the flaw, Cisco IP phone web servers lack proper input validation for HTTP requests.
Affected products include: IP Phone 7811, 7821, 7841, and 7861 Desktop Phones; IP Phone 8811, 8841, 8845, 8851, 8861, and 8865 Desktop Phones; Unified IP Conference Phone 8831 and Wireless IP Phone 8821 and 8821-EX. Of note, according to Cisco, some of these products are utilized by the healthcare industry who are currently on the frontlines of the coronavirus pandemic.
Beyond Cisco's patches, one mitigation for the flaw is disabling web access on the IP phones, according to Cisco.
News URL
https://threatpost.com/critical-cisco-ip-phone-rce-flaw/154864/
Related news
- Cisco warns of critical RCE zero-days in end of life IP phones (source)
- CISA warns critical Geoserver GeoTools RCE flaw is exploited in attacks (source)
- Cisco Warns of Critical Flaw Affecting On-Prem Smart Software Manager (source)
- Cisco fixes critical flaws in Secure Email Gateway and SSM On-Prem (CVE-2024-20401, CVE-2024-20419) (source)
- Critical Cisco bug lets hackers add root users on SEG devices (source)
- Progress warns of critical RCE bug in Telerik Report Server (source)
- Critical ServiceNow RCE flaws actively exploited to steal credentials (source)
- Progress fixes critical RCE flaw in Telerik Report Server, upgrade ASAP! (CVE-2024-6327) (source)
- Critical Apache OFBiz pre-auth RCE flaw fixed, update ASAP! (CVE-2024-38856) (source)
- Critical Progress WhatsUp RCE flaw now under active exploitation (source)