CVE-2024-20378

Name: CVE-2024-20378
Creator: NVD / NIST
Published: 2024-05-01T17:15:28.66+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.5/10EPSS 0.80%

Last modified Jun 17, 2026

CVE-2024-20378 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. A vulnerability in the web-based management interface of Cisco IP Phone firmware could allow an unauthenticated, remote attacker to retrieve sensitive information from an affected device. This vulnerability is due to a lack of authentication for specific endpoints of the web-based management interface on an affected device. EPSS estimates a 0.80% chance of exploitation in the next 30 days.

Description

A vulnerability in the web-based management interface of Cisco IP Phone firmware could allow an unauthenticated, remote attacker to retrieve sensitive information from an affected device. This vulnerability is due to a lack of authentication for specific endpoints of the web-based management interface on an affected device. An attacker could exploit this vulnerability by connecting to the affected device. A successful exploit could allow the attacker to gain unauthorized access to the device, enabling the recording of user credentials and traffic to and from the affected device, including VoIP calls that could be replayed.

Metrics

CVSS 3.1

7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Probability

0.80%

52.0th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-305

Affected Software

Vendor	Product	Versions
Cisco	Ip Phone 6821 With Multiplatform Firmware	< 12.0.4
Cisco	Ip Phone 6821 With Multiplatform Firmware	12.0.4
Cisco	Ip Phone 6841 With Multiplatform Firmware	< 12.0.4
Cisco	Ip Phone 6841 With Multiplatform Firmware	12.0.4
Cisco	Ip Phone 6851 With Multiplatform Firmware	< 12.0.4
Cisco	Ip Phone 6851 With Multiplatform Firmware	12.0.4
Cisco	Ip Phone 6861 With Multiplatform Firmware	< 12.0.4
Cisco	Ip Phone 6861 With Multiplatform Firmware	12.0.4
Cisco	Ip Phone 6871 With Multiplatform Firmware	< 12.0.4
Cisco	Ip Phone 6871 With Multiplatform Firmware	12.0.4
Cisco	Ip Phone 7811 With Multiplatform Firmware	< 12.0.4
Cisco	Ip Phone 7811 With Multiplatform Firmware	12.0.4
Cisco	Ip Phone 7821 With Multiplatform Firmware	< 12.0.4
Cisco	Ip Phone 7821 With Multiplatform Firmware	12.0.4
Cisco	Ip Phone 7841 With Multiplatform Firmware	< 12.0.4
Cisco	Ip Phone 7841 With Multiplatform Firmware	12.0.4
Cisco	Ip Phone 7861 With Multiplatform Firmware	< 12.0.4
Cisco	Ip Phone 7861 With Multiplatform Firmware	12.0.4
Cisco	Ip Phone 8811 With Multiplatform Firmware	< 12.0.4
Cisco	Ip Phone 8811 With Multiplatform Firmware	12.0.4
Cisco	Ip Phone 8841 With Multiplatform Firmware	< 12.0.4
Cisco	Ip Phone 8841 With Multiplatform Firmware	12.0.4
Cisco	Ip Phone 8851 With Multiplatform Firmware	< 12.0.4
Cisco	Ip Phone 8851 With Multiplatform Firmware	12.0.4
Cisco	Ip Phone 8851nr With Multiplatform Firmware	< 12.0.4
Cisco	Ip Phone 8851nr With Multiplatform Firmware	12.0.4
Cisco	Ip Phone 8861 With Multiplatform Firmware	< 12.0.4
Cisco	Ip Phone 8861 With Multiplatform Firmware	12.0.4
Cisco	Video Phone 8875 With Multiplatform Firmware	< 2.3.1.0101

References

Timeline

Published: May 1, 2024
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2024-20378?

How severe is CVE-2024-20378?

CVE-2024-20378 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 0.80% probability of exploitation in the next 30 days.

How do I fix CVE-2024-20378?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2024-20378?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST