Cisco has released a security advisory detailing multiple vulnerabilities in several of its enterprise phone series, which could expose organizations to remote attacks.
The flaws affect the Cisco Desk Phone 9800 Series, IP Phone 7800 and 8800 Series, and the Video Phone 8875 when running Session Initiation Protocol (SIP) Software.
A remote, unauthenticated attacker could exploit these vulnerabilities to cause a denial-of-service (DoS) condition or conduct a cross-site scripting (XSS) attack.
- Affected models: Desk Phone 9800 Series, IP Phone 7800 Series, IP Phone 8800 Series, Video Phone 8875.
- Software component: Cisco SIP Software on registered devices with Web Access enabled.
- Attack vector: Remote, unauthenticated HTTP requests.
A crucial condition for any attack is that the target phone must be registered to a Cisco Unified Communications Manager and have the Web Access feature enabled.
According to Cisco, this setting is disabled by default, which significantly limits the immediate attack surface for most deployments. However, organizations that have enabled this feature are urged to take immediate action.
The DoS and XSS Flaws
The advisory details two primary vulnerabilities. The first, identified as CVE-2025-20350, is a high-severity DoS vulnerability with a CVSS score of 7.5. It stems from a buffer overflow issue in the device’s web user interface.
An attacker could exploit this by sending specially crafted HTTP packets to an affected phone, causing it to reload and resulting in a service disruption for the user. This attack does not require any user interaction.
- CVE-2025-20350: Buffer overflow in web UI leading to forced reload.
- Risk: Complete phone unavailability for end users.
The second vulnerability, CVE-2025-20351, is a medium-severity XSS flaw. This issue exists because the web UI does not properly validate user-supplied input. An attacker could exploit this by persuading a user to click on a crafted link.
A successful exploit would allow the attacker to execute arbitrary script code within the context of the user’s browser, potentially leading to the theft of sensitive information.
- CVE-2025-20351: Reflected XSS via insufficient input validation.
- Risk: Execution of malicious scripts and potential data exposure.
Recommended Actions and Mitigation
Cisco has released free software updates to address both vulnerabilities and strongly recommends that customers upgrade to a fixed software release.
The advisory provides detailed tables outlining the affected products and the first software version that contains the necessary patches. For organizations unable to immediately apply the updates, a key mitigation is available.
- Disable Web Access on all affected phones until patches can be applied.
- Use Bulk Administration Tool (BAT) for mass configuration changes.
The vulnerabilities were discovered during internal security testing by Cisco’s Advanced Security Initiatives Group (ASIG).
At the time of publication, the Cisco Product Security Incident Response Team (PSIRT) stated it was not aware of any public announcements or malicious exploitation of these flaws.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
