CVE-2022-20660
moderate-risk
Published 2022-01-14
A vulnerability in the information storage architecture of several Cisco IP Phone models could allow an unauthenticated, physical attacker to obtain confidential information from an affected device. This vulnerability is due to unencrypted storage of confidential information on an affected device. An attacker could exploit this vulnerability by physically extracting and accessing one of the flash memory chips. A successful exploit could allow the attacker to obtain confidential information from the device, which could be used for subsequent attacks.
Do I need to act?
-
0.09% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.6/10
Medium
PHYSICAL
/ LOW complexity
Affected Products (20)
Ip Conference Phone 7832 Firmware
Ip Conference Phone 8832 Firmware
Ip Phone 7811 Firmware
Ip Phone 7821 Firmware
Ip Phone 7841 Firmware
Ip Phone 7861 Firmware
Unified Ip Conference Phone 8831 Firmware
Unified Ip Conference Phone 8831 For Third-Party Call Control Firmware
Unified Ip Phone 7945G Firmware
Unified Ip Phone 7965G Firmware
Unified Ip Phone 7975G Firmware
Unified Sip Phone 3905 Firmware
Wireless Ip Phone 8821 Firmware
Wireless Ip Phone 8821-Ex Firmware
Affected Vendors
References (6)
Mailing List
http://seclists.org/fulldisclosure/2022/Jan/34
Mailing List
http://seclists.org/fulldisclosure/2022/Jan/34
36
/ 100
moderate-risk
Severity
16/34 · Moderate
Exploitability
0/34 · Minimal
Exposure
20/34 · Moderate