Replace Cisco SPA300, SPA500 IP phones - critically vulnerable, no fixes
Take action: You need to start replacing the Cisco SPA300 or SPA500 IP phones. They are critically vulnerable and there won't be any fixes for them. Even if you isolate them in a private network, that's a temporary fix since someone will find them. Plan a budget to replace the phones.
Learn More
Cisco has identified multiple vulnerabilities in its Small Business SPA300 and SPA500 Series IP Phones.
The three most severe flaws, tracked as CVE-2024-20450, CVE-2024-20452, and CVE-2024-20454, (each with CVSS score of 9.8), allow unauthenticated remote attackers to gain root-level access by exploiting buffer overflow vulnerabilities via crafted HTTP requests. This could enable attackers to execute arbitrary commands on the devices, effectively compromising them.
In addition to these vulnerabilities, two other flaws, CVE-2024-20451 and CVE-2024-20453, (CVSS score of 7.8), were discovered. These vulnerabilities allow for denial-of-service (DoS) attacks by causing the devices to reload unexpectedly, though they do not enable arbitrary code execution.
Cisco has announced that no software updates or mitigations will be released to address these issues since the SPA300 and SPA500 series devices have reached their end-of-life (EoL) status. The SPA300 series officially ceased receiving fixes in 2020, with full support ending in February 2024. The SPA500 series will reach obsolescence on May 31, 2025, with service contract renewals available until August 27, 2024.
Cisco advises customers using these models to consider replacing their devices with supported alternatives, as no workarounds are available. Fortunately, there have been no reports of these vulnerabilities being exploited in the wild.
