Some models of Cisco IP Phones vulnerable to eavesdropping

Chris Watts discovered a security flaw affecting some models of Cisco IP Phones that could be exploited to eavesdrop on conversations and make phone calls.

Some models of Cisco IP phones for small businesses are affected by a vulnerability, coded as CVE-2015-0670 that could be exploited by a remote attacker to eavesdrop on conversations and make phone calls from the vulnerable phones.

The security flaw was discovered by security research Chris Watts from Tech Analysis, which reported two other flaws (CVE-2014-3313 and CVE-2014-3312)impacting Cisco SPA300 and SPA500 series IP phones.

  • The CVE-2014-3313 vulnerability is a cross-site scripting (XSS) affecting the web user interface on Cisco Small Business SPA300 and SPA500 IP phones, the flaw could be exploited by attackers to remotely inject arbitrary web script or HTML via a crafted URL
  • The CVE-2014-3312 vulnerability can be exploited by a local attacker to execute arbitrary commands (CVE-2014-3312).

The last vulnerability discovered by the expert, the CVE-2015-0670, allows unauthenticated remote dial vulnerability affects version 7.5.5 and later versions of the models belonging to the Cisco Small Business SPA300 and SPA500 series IP phones.

“Cisco Small Business SPA 300 and 500 Series IP phones contain a vulnerability that could allow an unauthenticated, remote attacker to access sensitive information. Updates are not available.” states the security advisory published by Cisco.

The exploitation of the vulnerability is quite simple, a remote unauthenticated attacker can exploit the flaw by sending a maliciously crafted XML request to the targeted IP phone. Threat actors could obtain sensitive information by eavesdropping audio streams from the phones.


“To exploit this vulnerability, an attacker may need access to trusted, internal networks behind a firewall to send crafted XML requests to the targeted device. This access requirement may reduce the likelihood of a successful exploit,” the company noted in its advisory.

The attackers can also exploit the flaw to make phone calls remotely from a vulnerable phone.

“A successful exploit could be used to conduct further attacks,” Cisco said.

Despite Cisco has publicly disclosed the flaw, rating its exploitation as a medium severity, its users remain vulnerable to the attacks because the company hasn’t planned any update to fix the issue.

As possible safeguards, Cisco suggests administrators  to enable XML Execution authentication in the configuration settings of affected devices and to allow only trusted users to have network. It is strongly suggested to protect vulnerable Cisco system from external attacks by using a firewall or access control lists (ACLs) to allow only trusted IPs to access the IP phones.

Pierluigi Paganini

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.