Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Uncategorized

Five zero-days impacts EoL Cisco Small Business IP Phones. Replace them with newer models asap!

Cisco warns of critical remote code execution zero-day vulnerabilities impacting end-of-life Small Business SPA 300 and SPA 500 series IP phones. Cisco warns of multiple critical remote code execution zero-day vulnerabilities in end-of-life Small Business SPA 300 and SPA 500 series IP phones. “Multiple vulnerabilities in the web-based management interface of Cisco Small Business SPA300 […]

Cisco Catalyst

Cisco warns of critical remote code execution zero-day vulnerabilities impacting end-of-life Small Business SPA 300 and SPA 500 series IP phones.

Cisco warns of multiple critical remote code execution zero-day vulnerabilities in end-of-life Small Business SPA 300 and SPA 500 series IP phones.

“Multiple vulnerabilities in the web-based management interface of Cisco Small Business SPA300 Series IP Phones and Cisco Small Business SPA500 Series IP Phones could allow an attacker to execute arbitrary commands on the underlying operating system or cause a denial of service (DoS) condition.” reads the advisory published by the vendor.

The vulnerabilities reside in the web-based management interface of the impacted devices, an attacker can exploit them to execute arbitrary commands on the underlying operating system or trigger a denial of service (DoS) condition. 

Three of these vulnerabilities, tracked as CVE-2024-20450, CVE-2024-20452, and CVE-2024-20454 (CVSS score 9.8), are arbitrary command execution issues. An unauthenticated, remote attacker can exploit these flaws to execute arbitrary commands on the underlying operating system with root privileges.

“These vulnerabilities exist because incoming HTTP packets are not properly checked for errors, which could result in a buffer overflow. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to overflow an internal buffer and execute arbitrary commands at the root privilege level.” continues the advisory.

The remaining two vulnerabilities, tracked as CVE-2024-20451 and CVE-2024-20453 (CVSS score 7.5), can be exploited by an unauthenticated, remote attacker to cause an affected device to reload unexpectedly triggering a DoS condition.

“These vulnerabilities exist because HTTP packets are not properly checked for errors. An attacker could exploit this vulnerability by sending a crafted HTTP packet to the remote interface of an affected device. A successful exploit could allow the attacker to cause a DoS condition on the device.” states the advisory.

Aidan of BAE Systems Digital Intelligence discovered these vulnerabilities.

Cisco said that its Product Security Incident Response Team (PSIRT) is not aware of attacks in the wild exploiting these flaws.

The IT giant will not address the vulnerabilities and hasn’t provided mitigations. Customers using the impacted IP phones have to replace them with newer models as soon as possible.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Small Business IP Phones)