Strix
26.1K

CVE-2024-20445

MEDIUMCVSS 5.3/10EPSS 0.45%

Last modified

CVE-2024-20445 is a medium-severity vulnerability rated 5.3/10 on the CVSS scale. A vulnerability in the web UI of Cisco Desk Phone 9800 Series, Cisco IP Phone 7800 and 8800 Series, and Cisco Video Phone 8875 could allow an unauthenticated, remote attacker to access sensitive information on an affected device. This vulnerability is due to improper storage of sensitive information within the web UI of Session Initiation Protocol (SIP)-based phone loads. An attacker could exploit this vulnerability by browsing to the IP address of a device that has Web Access enabled. EPSS estimates a 0.45% chance of exploitation in the next 30 days.

Description

A vulnerability in the web UI of Cisco Desk Phone 9800 Series, Cisco IP Phone 7800 and 8800 Series, and Cisco Video Phone 8875 could allow an unauthenticated, remote attacker to access sensitive information on an affected device. This vulnerability is due to improper storage of sensitive information within the web UI of Session Initiation Protocol (SIP)-based phone loads. An attacker could exploit this vulnerability by browsing to the IP address of a device that has Web Access enabled. A successful exploit could allow the attacker to access sensitive information, including incoming and outgoing call records. Note: Web Access is disabled by default.

Metrics

CVSS 3.1
5.3/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS Probability
0.45%

35.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
CiscoDesk Phone 9841 Firmware3.1\(1\)
CiscoDesk Phone 9851 Firmware3.1\(1\)
CiscoDesk Phone 9861 Firmware3.1\(1\)
CiscoDesk Phone 9871 Firmware3.1\(1\)
CiscoIp Conference Phone 7832 Firmware< 14.3\(1\)
CiscoIp Conference Phone 8831 Firmware< 14.3\(1\)
CiscoIp Conference Phone 8832 Firmware< 14.3\(1\)
CiscoIp Phone 7811 Firmware< 14.3\(1\)
CiscoIp Phone 7821 Firmware< 14.3\(1\)
CiscoIp Phone 7841 Firmware< 14.3\(1\)
CiscoIp Phone 7861 Firmware< 14.3\(1\)
CiscoIp Phone 8811 Firmware< 14.3\(1\)
CiscoIp Phone 8841 Firmware< 14.3\(1\)
CiscoIp Phone 8845 Firmware< 14.3\(1\)
CiscoIp Phone 8851 Firmware< 14.3\(1\)
CiscoIp Phone 8851nr Firmware< 14.3\(1\)
CiscoIp Phone 8861 Firmware< 14.3\(1\)
CiscoVideo Phone 8875 Firmware< 2.3\(1\)
CiscoVideo Phone 8875 Firmware2.3\(1\)

References

Timeline

Published
Last Modified
Status
Analyzed

Frequently Asked Questions

What is CVE-2024-20445?
A vulnerability in the web UI of Cisco Desk Phone 9800 Series, Cisco IP Phone 7800 and 8800 Series, and Cisco Video Phone 8875 could allow an unauthenticated, remote attacker to access sensitive information on an affected device. This vulnerability is due to improper storage of sensitive information within the web UI of Session Initiation Protocol (SIP)-based phone loads. An attacker could exploit this vulnerability by browsing to the IP address of a device that has Web Access enabled. A successful exploit could allow the attacker to access sensitive information, including incoming and outgoing call records. Note: Web Access is disabled by default.
How severe is CVE-2024-20445?
CVE-2024-20445 has a CVSS score of 5.3/10 (MEDIUM severity). The EPSS model estimates a 0.45% probability of exploitation in the next 30 days.
How do I fix CVE-2024-20445?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2024-20445?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST