CVE-2019-15959

Published: Sep 23, 2020Modified: Nov 21, 2024

6.6

Vector

CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 0.7 / Impact: 5.9

Source: NVD

Description

A vulnerability in Cisco Small Business SPA500 Series IP Phones could allow a physically proximate attacker to execute arbitrary commands on the device. The vulnerability is due to the presence of development testing and verification scripts that remained on the device. An attacker could exploit this vulnerability by accessing the physical interface of a device and inserting a USB storage device. A successful exploit could allow the attacker to execute scripts on the device in an elevated security context.

Affected (1)

Products: Cisco: Spa500 Series Ip Phones Firmware

Cisco

1 product

Spa500 Series Ip Phones Firmware

Configuration A

1 vulnerable · 9 platform

Vulnerable Software	Affected Versions
Cisco Spa500 Series Ip Phones Firmware	Up to 7.5.7\(5\)

Running on/with	Platform Versions
Cisco Spa500ds	All versions
Cisco Spa500s	All versions
Cisco Spa501g	All versions
Cisco Spa502g	All versions
Cisco Spa504g	All versions
Cisco Spa512g	All versions
Cisco Spa514g	All versions
Cisco Spa525g	All versions
Cisco Spa525g2	All versions

Related CWEs

CWE-20

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (2)

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191106-spa500-script

Source: psirt@cisco.com

Vendor Advisory

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191106-spa500-script

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.