Cisco is warning of a critical flaw in the web server of its IP phones. If exploited, the flaw could allow an unauthenticated, remote attacker to execute code with root privileges or launch a denial-of-service (DoS) attack.
Proof-of-concept (PoC) exploit code has been posted on GitHub for the vulnerability (CVE-2020-3161), which ranks 9.8 out of 10 on the CVSS scale. Cisco issued patches in a Wednesday advisory for the flaw, which affects various versions of its Cisco IP phones for small- to medium-sized businesses.
According to Jacob Baines with Tenable, who discovered the flaw, Cisco IP phone web servers lack proper input validation for HTTP requests. To exploit the bug, an attacker could merely send a crafted HTTP request to the /deviceconfig/setActivationCode endpoint (on the web server of the targeted device).