CVE-2024-20451

moderate-risk

Published 2024-08-07

Multiple vulnerabilities in the web-based management interface of Cisco Small Business SPA300 Series IP Phones and Cisco Small Business SPA500 Series IP Phones could allow an unauthenticated, remote attacker to cause an affected device to reload unexpectedly. These vulnerabilities exist because HTTP packets are not properly checked for errors. An attacker could exploit this vulnerability by sending a crafted HTTP packet to the remote interface of an affected device. A successful exploit could allow the attacker to cause a DoS condition on the device.

Do I need to act?

1.3% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (11)

Spa 301 Firmware

Spa 303 Firmware

Spa 501G Firmware

Spa 502G Firmware

Spa 504G Firmware

Spa 508G Firmware

Spa 509G Firmware

Spa 512G Firmware

Spa 514G Firmware

Spa 525G Firmware

Spa 525G2 Firmware

Affected Vendors

Cisco

References (1)

Vendor Advisory https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/ci...

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 4/34 · Minimal

Exposure 16/34 · Moderate