CVE-2019-15959 — Improper Input Validation in Cisco Spa500 Series IP Phones Firmware

CWE-20 — Improper Input Validation4 documents4 sources

Severity

6.6MEDIUMNVD

EPSS

0.2%

top 60.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco Spa500 Series IP Phones Firmware Cisco Spa525g2 5-line IP Phone

Timeline

PublishedSep 23

Latest updateMay 24

Description

A vulnerability in Cisco Small Business SPA500 Series IP Phones could allow a physically proximate attacker to execute arbitrary commands on the device. The vulnerability is due to the presence of development testing and verification scripts that remained on the device. An attacker could exploit this vulnerability by accessing the physical interface of a device and inserting a USB storage device. A successful exploit could allow the attacker to execute scripts on the device in an elevated securi…

CVSS vector

CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 0.7 | Impact: 5.9

Affected Packages2 packages

▶NVDcisco/spa500_series_ip_phones_firmware7.5.7\(5\)

▶CVEListV5cisco/cisco_spa525g2_5-line_ip_phonen/a

🔴Vulnerability Details

GHSA

GHSA-6fhv-wpvj-mgr8: A vulnerability in Cisco Small Business SPA500 Series IP Phones could allow a physically proximate attacker to execute arbitrary commands on the devic↗2022-05-24

▶

CVEList

Cisco Small Business SPA500 Series IP Phones Local Script Execution Vulnerability↗2020-09-23

▶

📋Vendor Advisories

Cisco

Cisco Small Business SPA500 Series IP Phones Local Script Execution Vulnerability↗2019-11-06

▶