CVE-2024-20378

Summary

A vulnerability in the web-based management interface of Cisco IP Phone firmware could allow an unauthenticated, remote attacker to retrieve sensitive information from an affected device.
This vulnerability is due to a lack of authentication for specific endpoints of the web-based management interface on an affected device. An attacker could exploit this vulnerability by connecting to the affected device. A successful exploit could allow the attacker to gain unauthorized access to the device, enabling the recording of user credentials and traffic to and from the affected device, including VoIP calls that could be replayed.

Affected Software

VendorProductVersion RangeStatus
CiscoCisco IP Phones with Multiplatform Firmware11.3.1 MSR2-6affected
CiscoCisco IP Phones with Multiplatform Firmware11.3.1 MSR3-3affected
CiscoCisco IP Phones with Multiplatform Firmware11.3.2affected
CiscoCisco IP Phones with Multiplatform Firmware11.3.3affected
CiscoCisco IP Phones with Multiplatform Firmware11.3.1 MSR4-1affected
CiscoCisco IP Phones with Multiplatform Firmware11.3.4affected
CiscoCisco IP Phones with Multiplatform Firmware11.3.5affected
CiscoCisco IP Phones with Multiplatform Firmware11.3.3 MSR2affected
CiscoCisco IP Phones with Multiplatform Firmware11.3.3 MSR1affected
CiscoCisco IP Phones with Multiplatform Firmware11.3.6affected
CiscoCisco IP Phones with Multiplatform Firmware11-3-1MPPSR4UPGaffected
CiscoCisco IP Phones with Multiplatform Firmware11.3.7affected
CiscoCisco IP Phones with Multiplatform Firmware11-3-1MSR2UPGaffected
CiscoCisco IP Phones with Multiplatform Firmware11.3.6SR1affected
CiscoCisco IP Phones with Multiplatform Firmware11.3.7SR1affected
CiscoCisco IP Phones with Multiplatform Firmware11.3.7SR2affected
CiscoCisco IP Phones with Multiplatform Firmware11.0.0affected
CiscoCisco IP Phones with Multiplatform Firmware11.0.1affected
CiscoCisco IP Phones with Multiplatform Firmware11.0.1 MSR1-1affected
CiscoCisco IP Phones with Multiplatform Firmware11.0.2affected
CiscoCisco IP Phones with Multiplatform Firmware11.1.1affected
CiscoCisco IP Phones with Multiplatform Firmware11.1.1 MSR1-1affected
CiscoCisco IP Phones with Multiplatform Firmware11.1.1 MSR2-1affected
CiscoCisco IP Phones with Multiplatform Firmware11.1.2affected
CiscoCisco IP Phones with Multiplatform Firmware11.1.2 MSR1-1affected
CiscoCisco IP Phones with Multiplatform Firmware11.1.2 MSR3-1affected
CiscoCisco IP Phones with Multiplatform Firmware11.2.1affected
CiscoCisco IP Phones with Multiplatform Firmware11.2.2affected
CiscoCisco IP Phones with Multiplatform Firmware11.2.3affected
CiscoCisco IP Phones with Multiplatform Firmware11.2.3 MSR1-1affected
CiscoCisco IP Phones with Multiplatform Firmware11.2.4affected
CiscoCisco IP Phones with Multiplatform Firmware11.3.1affected
CiscoCisco IP Phones with Multiplatform Firmware11.3.1 MSR1-3affected
CiscoCisco IP Phones with Multiplatform Firmware4.5affected
CiscoCisco IP Phones with Multiplatform Firmware4.6 MSR1affected
CiscoCisco IP Phones with Multiplatform Firmware4.7.1affected
CiscoCisco IP Phones with Multiplatform Firmware4.8.1affected
CiscoCisco IP Phones with Multiplatform Firmware4.8.1 SR1affected
CiscoCisco IP Phones with Multiplatform Firmware5.0.1affected
CiscoCisco IP Phones with Multiplatform Firmware12.0.1affected
CiscoCisco IP Phones with Multiplatform Firmware12.0.2affected
CiscoCisco IP Phones with Multiplatform Firmware12.0.3affected
CiscoCisco IP Phones with Multiplatform Firmware12.0.3SR1affected
CiscoCisco IP Phones with Multiplatform Firmware12.0.4affected
CiscoCisco IP Phones with Multiplatform Firmware5.1.1affected
CiscoCisco IP Phones with Multiplatform Firmware5.1.2affected
CiscoCisco IP Phones with Multiplatform Firmware5.1(2)SR1affected
CiscoCisco PhoneOS1.0.1affected
CiscoCisco PhoneOS2.1.1affected
CiscoCisco PhoneOS2.0.1affected
CiscoCisco PhoneOS2.3.1affected

Weaknesses

  • CWE-305: Authentication Bypass by Primary Weakness

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

CVE Program Container

Additional References

References