CVE-2021-33478

moderate-risk

Published 2021-07-22

The TrustZone implementation in certain Broadcom MediaxChange firmware could allow an unauthenticated, physically proximate attacker to achieve arbitrary code execution in the TrustZone Trusted Execution Environment (TEE) of an affected device. This, for example, affects certain Cisco IP Phone and Wireless IP Phone products before 2021-07-07. Exploitation is possible only when the attacker can disassemble the device in order to control the voltage/current for chip pins.

Do I need to act?

0.13% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.8/10 Medium

PHYSICAL / LOW complexity

Affected Products (15)

Ip Phone 8800 Firmware

Ip Phone 8800 Series With Multiplatform Firmware

Ip Phone 8811 Firmware

Ip Phone 8811 With Multiplatform Firmware

Ip Phone 8841 Firmware

Ip Phone 8841 With Multiplatform Firmware

Ip Phone 8845 Firmware

Ip Phone 8845 With Multiplatform Firmware

Ip Phone 8851 Firmware

Ip Phone 8851 With Multiplatform Firmware

Ip Phone 8861 Firmware

Ip Phone 8861 With Multiplatform Firmware

Ip Phone 8865 Firmware

Ip Phone 8865 With Multiplatform Firmware

Wireless Ip Phone 8821 Firmware

Affected Vendors

Cisco

References (2)

Vendor Advisory https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-b...

/ 100

moderate-risk

Severity 22/34 · High

Exploitability 1/34 · Minimal

Exposure 18/34 · Moderate