What the company offers if there are no fixes and no plans to do so.
Cisco warned users about the presence of several zero-day vulnerabilities in the web management interface for Small Business SPA 300 and SPA 500 series IP phones, which have already been discontinued. Detected 0days allow an attacker to remotely execute arbitrary code on devices.
Because these models are no longer supported, Cisco has not released any troubleshooting updates or workarounds. In this regard, users are strongly encouraged to upgrade to newer and supported phone models as soon as possible.
Cisco experts identified 5 vulnerabilities:
All disadvantages affect any software running on SPA 300 and SPA 500 series IP phones, regardless of the device configuration. Each of the vulnerabilities can be exploited separately, which further increases the risks.
Support for the SPA 300 was completed in February 2022, and the SPA 500 in June 2020. Although the SPA 500 will still be covered by service contracts and special warranty conditions until the end of May 2025, the SPA 300 models will no longer receive security updates from February 2024. Upgrading to new models, such as the Cisco IP Phone 8841 or the Cisco 6800 series, is a critical step for protecting corporate networks.
Source
Cisco warned users about the presence of several zero-day vulnerabilities in the web management interface for Small Business SPA 300 and SPA 500 series IP phones, which have already been discontinued. Detected 0days allow an attacker to remotely execute arbitrary code on devices.
Because these models are no longer supported, Cisco has not released any troubleshooting updates or workarounds. In this regard, users are strongly encouraged to upgrade to newer and supported phone models as soon as possible.
Cisco experts identified 5 vulnerabilities:
- 3 CVSS-rated errors: 9.8 (CVE-2024-20450, CVE-2024-20452, and CVE-2024-20454) are related to buffer overflow, which allows a remote attacker to send specially crafted HTTP requests and execute commands with root privileges on the target device without authentication.
- 2 CVSS rating errors: 7.5 (CVE-2024-20451 and CVE-2024-20453) are caused by insufficient HTTP packet checks, which can lead to Denial of Service (DoS).
All disadvantages affect any software running on SPA 300 and SPA 500 series IP phones, regardless of the device configuration. Each of the vulnerabilities can be exploited separately, which further increases the risks.
Support for the SPA 300 was completed in February 2022, and the SPA 500 in June 2020. Although the SPA 500 will still be covered by service contracts and special warranty conditions until the end of May 2025, the SPA 300 models will no longer receive security updates from February 2024. Upgrading to new models, such as the Cisco IP Phone 8841 or the Cisco 6800 series, is a critical step for protecting corporate networks.
Source
