Cisco IP Phones Vulnerable to Data Leak: Urgent Update Required

A critical vulnerability (CVE-2024-20445) has been discovered in a series of Cisco IP phones, enabling remote attackers to access confidential information. The affected models include the Desk Phone 9800, IP Phone 7800 and 8800 series, as well as the Video Phone 8875.

The issue arises from improper data storage within the devices’ web interface using the SIP protocol, resulting in the exposure of sensitive information (CWE-200) when the Web Access feature is enabled. Attackers can exploit this vulnerability simply by navigating to the IP address of the vulnerable device.

A successful attack could potentially grant access to information such as call records, thus compromising user privacy. It is important to note that the Web Access feature is disabled by default, which somewhat mitigates the risk. However, if activated, the vulnerability becomes exploitable.

Cisco has confirmed the issue and released updates to remediate the vulnerability. Unfortunately, the only solution is through a software update; there is no alternative workaround. All users with Web Access enabled should either disable this feature or immediately update their software.

As of publication, the vulnerability affects the Cisco Desk Phone 9800, IP Phone 7800 and 8800 series (excluding the Wireless IP Phone 8821), and the Video Phone 8875. To safeguard their data, users are advised to verify whether Web Access is enabled and, if necessary, either disable it or install the latest updates.