Security News > 2024 > August > Hello? Are you talking on a Cisco SPA300 or SPA500 IP phone? Now's the time to junk 'em

A boffin from British defence contractor BAE has found three critical flaws in Cisco's Small Business SPA300 and SPA500 IP phones - and another couple of nasties - none of which will be fixed or mitigated.

In an advisory published on Wednesday, Cisco explained the three most serious flaws - all rated CVSS 9.8 - affect the web-based management interface of the devices and could allow an unauthenticated remote attacker to gain root privileges.

If you're using older, vulnerable Cisco small biz routers, throw them out Dump these insecure phone adapters because we're not fixing them, says Cisco Thousands of Juniper Networks devices vulnerable to critical RCE bug Windows CE reaches end of life, if not end of sales.

Cisco formally stopped shipping fixes for SPA300 handsets in 2020 and ended all support for the devices in February 2024.

Cisco won't help - a stance it's also taken with phone adapters and routers it deems are so ancient customers need to acquire replacements.

Products like desktop phones are often assumed to just keep on working forever - because they're just phones - so customers don't think of replacing them the way they do other tech.

News URL

https://go.theregister.com/feed/www.theregister.com/2024/08/09/cisco_ip_phone_critical_flaws/