Connect with us

Hi, what are you looking for?



Cisco IP Phones Vulnerable to Eavesdropping

Some of the IP phones designed by Cisco for small businesses are plagued by a vulnerability that allows a remote attacker to eavesdrop on conversations and make phone calls from affected devices, the company revealed last week.

Some of the IP phones designed by Cisco for small businesses are plagued by a vulnerability that allows a remote attacker to eavesdrop on conversations and make phone calls from affected devices, the company revealed last week.

The unauthenticated remote dial vulnerability (CVE-2015-0670) affects version 7.5.5 and possibly later versions of Cisco Small Business SPA300 and SPA500 series IP phones.Cisco IP phones

According to an advisory published by Cisco, the flaw is caused by improper authentication settings in the affected software’s default configuration. A remote, unauthenticated attacker can exploit the weakness by sending a maliciously crafted XML request to the targeted IP phone.

Malicious actors could obtain sensitive information by listening in on audio streams from the device. They can also leverage the bug to make phone calls remotely from a vulnerable phone. “A successful exploit could be used to conduct further attacks,” Cisco said.

“To exploit this vulnerability, an attacker may need access to trusted, internal networks behind a firewall to send crafted XML requests to the targeted device. This access requirement may reduce the likelihood of a successful exploit,” the company noted in its advisory.

Cisco has confirmed the security hole, but updates that address this issue are not yet available. The company believes it’s unlikely for this medium severity vulnerability to be exploited.

Until security updates become available, administrators are advised to enable XML execution authentication from the device’s settings menu, and limit network access to trusted users.

The security hole was discovered by Chris Watts of Tech Analysis. In July 2014, the researcher reported two other flaws impacting Cisco SPA300 and SPA500 series IP phones: a cross-site scripting (XSS) vulnerability (CVE-2014-3313), and a vulnerability that can be exploited by a local attacker to execute arbitrary commands (CVE-2014-3312). At around the same time, Watts also identified a remote code execution flaw in Cisco modems.

Advertisement. Scroll to continue reading.

Earlier this month, Cisco announced the availability of security updates that fix vulnerabilities in Cisco Intrusion Prevention System (IPS), TelePresence Video Communication Server (VCS), Expressway, and TelePresence Conductor.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.