Cisco has confirmed that its Small Business SPA 300 and 500 series IP phones are vulnerable to an unpatched flaw.
The flaw could allow an attacker to listen to the audio stream of a phone call, make calls remotely or even eavesdrop on the area around the device.
“The vulnerability is due to improper authentication settings in the default configuration,” Cisco said in an advisory. “An attacker could exploit this vulnerability by sending a crafted XML request to the affected device. An exploit could allow the attacker to listen to a remote audio stream or make phone calls remotely.”
Chris Watts, director of Sydney-based Tech Analysis, who discovered the flaw, said it could also be used to turn on a phone’s microphone and listen to sounds in the device’s surrounding environment.
Cisco initially said it didn’t intend to patch the flaw, considering it low-risk, but afterward said it plans to issue a patch.
The flaw affects units running version 7.5.5 of the firmware, but later versions may also be affected, Cisco said.
Exploitation is made somewhat difficult by the fact that an attacker would need access to the network on which the telephone is installed, with most units likely to be protected by firewalls, Cisco said.
However, security researchers were quick to point out that attackers could locate affected phones directly connected to the Internet using a specialised device search engine such as Shodan.
Until a patch is released, Cisco advised administrators to take workaround measures such as enabling XML Execution authentication in the configuration settings of affected devices.
Are you a security pro? Try our quiz!
Pretty please? Elon Musk's X requests permission from Brazil's Supreme Court to resume service in…
Restructuring plan for OpenAI's core business will turn it into a 'for-profit benefit corporation', amid…
Blackstone to invest £10 billion in data centre in England's north east, at proposed site…
One of the most privacy focused web browsers, Firefox, is at the centre of a…
All change again at OpenAI, as CTO and two other senior executives depart, amid a…
Congressional testimony sees CrowdStrike executive publicly apologise for faulty update that caused chaos around the…