The vulnerability impacts Cisco’s IP Phone 8800 Series and IP Phone 7800 Series devices.
The bug, tracked as CVE-2020-3452, allows attackers to gain root access to vulnerable systems. According to Cisco’s security advisory, exploitation requires local access.
The vulnerability is caused by an insufficiently protected default account in IP Phone’s built-in web server, which provides administrative capabilities for users.
Malicious actors can access the administrative interface via the HTTP protocol with no authentication credentials required, allowing them to exploit the flaw and obtain root access to vulnerable devices.
Additionally, hackers can launch denial-of-service attacks or modify the settings of affected phones. Exploit code has already been published online, making it easier for threat actors to exploit the bug without needing technical expertise.
Cisco has released software updates to address the issue and urges users to patch their systems as soon as possible. Customers can disable access to the web server or reconfigure it with solid authentication credentials as an interim workaround.
Cisco also recommends that all users disable unused services, network ports and device protocols. They also advise customers to monitor their networks for any suspicious activity. The vulnerability was assigned a CVSS score of 8.8 out of 10.
The company is unaware of the vulnerability being exploited in the wild. However, given the availability of exploit code and its high severity rating, attackers could quickly start abusing the flaw if users fail to apply the required patches.