Cisco Warns of Critical Flaws in Discontinued IP Phones

Cisco has alerted users to the presence of several vulnerabilities in the web management interface of the discontinued Small Business SPA 300 and SPA 500 IP phone series. These discovered flaws allow attackers to remotely execute arbitrary code on the devices.

As these models are no longer supported, Cisco has not released updates to address the issues nor provided any workarounds. Consequently, users are strongly urged to migrate to newer, supported phone models as soon as possible.

Cisco experts identified five vulnerabilities:

• Three vulnerabilities, each with a CVSS score of 9.8 (CVE-2024-20450, CVE-2024-20452, and CVE-2024-20454), are associated with buffer overflows, enabling an unauthenticated remote attackers to send specially crafted HTTP requests and execute commands with root privileges on the target device.
• Two vulnerabilities, each with a CVSS score of 7.5 (CVE-2024-20451 and CVE-2024-20453), stem from insufficient validation of HTTP packets, which could lead to a Denial of Service (DoS).
  All the flaws affect any software running on the SPA 300 and SPA 500 IP phones, regardless of device configuration. Each vulnerability can be exploited independently, further exacerbating the risks.

Support for the SPA 300 series ended in February 2022, while support for the SPA 500 series concluded in June 2020. Although the SPA 500 series will continue to be covered by service contracts and special warranty conditions until the end of May 2025, security updates for the SPA 300 series have not been available since February 2024. Transitioning to newer models—such as the Cisco IP Phone 8841 or devices from the Cisco 6800 series—has become a critically important step to safeguard corporate networks.