CVE-2024-20357

Summary

A vulnerability in the XML service of Cisco IP Phone firmware could allow an unauthenticated, remote attacker to initiate phone calls on an affected device.
This vulnerability exists because bounds-checking does not occur while parsing XML requests. An attacker could exploit this vulnerability by sending a crafted XML request to an affected device. A successful exploit could allow the attacker to initiate calls or play sounds on the device.

Affected Software

VendorProductVersion RangeStatus
CiscoCisco IP Phones with Multiplatform Firmware11.3.1 MSR2-6affected
CiscoCisco IP Phones with Multiplatform Firmware11.3.1 MSR3-3affected
CiscoCisco IP Phones with Multiplatform Firmware11.3.2affected
CiscoCisco IP Phones with Multiplatform Firmware11.3.3affected
CiscoCisco IP Phones with Multiplatform Firmware11.3.1 MSR4-1affected
CiscoCisco IP Phones with Multiplatform Firmware11.3.4affected
CiscoCisco IP Phones with Multiplatform Firmware11.3.5affected
CiscoCisco IP Phones with Multiplatform Firmware11.3.3 MSR2affected
CiscoCisco IP Phones with Multiplatform Firmware11.3.3 MSR1affected
CiscoCisco IP Phones with Multiplatform Firmware11.3.6affected
CiscoCisco IP Phones with Multiplatform Firmware11-3-1MPPSR4UPGaffected
CiscoCisco IP Phones with Multiplatform Firmware11.3.7affected
CiscoCisco IP Phones with Multiplatform Firmware11-3-1MSR2UPGaffected
CiscoCisco IP Phones with Multiplatform Firmware11.3.6SR1affected
CiscoCisco IP Phones with Multiplatform Firmware11.3.7SR1affected
CiscoCisco IP Phones with Multiplatform Firmware11.3.7SR2affected
CiscoCisco IP Phones with Multiplatform Firmware11.0.0affected
CiscoCisco IP Phones with Multiplatform Firmware11.0.1affected
CiscoCisco IP Phones with Multiplatform Firmware11.0.1 MSR1-1affected
CiscoCisco IP Phones with Multiplatform Firmware11.0.2affected
CiscoCisco IP Phones with Multiplatform Firmware11.1.1affected
CiscoCisco IP Phones with Multiplatform Firmware11.1.1 MSR1-1affected
CiscoCisco IP Phones with Multiplatform Firmware11.1.1 MSR2-1affected
CiscoCisco IP Phones with Multiplatform Firmware11.1.2affected
CiscoCisco IP Phones with Multiplatform Firmware11.1.2 MSR1-1affected
CiscoCisco IP Phones with Multiplatform Firmware11.1.2 MSR3-1affected
CiscoCisco IP Phones with Multiplatform Firmware11.2.1affected
CiscoCisco IP Phones with Multiplatform Firmware11.2.2affected
CiscoCisco IP Phones with Multiplatform Firmware11.2.3affected
CiscoCisco IP Phones with Multiplatform Firmware11.2.3 MSR1-1affected
CiscoCisco IP Phones with Multiplatform Firmware11.2.4affected
CiscoCisco IP Phones with Multiplatform Firmware11.3.1affected
CiscoCisco IP Phones with Multiplatform Firmware11.3.1 MSR1-3affected
CiscoCisco IP Phones with Multiplatform Firmware4.5affected
CiscoCisco IP Phones with Multiplatform Firmware4.6 MSR1affected
CiscoCisco IP Phones with Multiplatform Firmware4.7.1affected
CiscoCisco IP Phones with Multiplatform Firmware4.8.1affected
CiscoCisco IP Phones with Multiplatform Firmware4.8.1 SR1affected
CiscoCisco IP Phones with Multiplatform Firmware5.0.1affected
CiscoCisco IP Phones with Multiplatform Firmware12.0.1affected
CiscoCisco IP Phones with Multiplatform Firmware12.0.2affected
CiscoCisco IP Phones with Multiplatform Firmware12.0.3affected
CiscoCisco IP Phones with Multiplatform Firmware12.0.3SR1affected
CiscoCisco IP Phones with Multiplatform Firmware12.0.4affected
CiscoCisco IP Phones with Multiplatform Firmware5.1.1affected
CiscoCisco IP Phones with Multiplatform Firmware5.1.2affected
CiscoCisco IP Phones with Multiplatform Firmware5.1(2)SR1affected
CiscoCisco PhoneOS1.0.1affected
CiscoCisco PhoneOS2.1.1affected
CiscoCisco PhoneOS2.0.1affected
CiscoCisco PhoneOS2.3.1affected

Weaknesses

  • CWE-787: Out-of-bounds Write

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

CVE Program Container

Additional References

References