CVE-2019-15250

Name of the Vulnerable Software and Affected Versions Cisco SPA100 Series Analog Telephone Adapters (ATAs) (affected versions not specified)

Description The issue is related to improper validation of user-supplied input to the web-based management interface, which could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. An attacker could exploit this by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. The web-based management interface is enabled by default. Additionally, there is a buffer overflow issue in the web-based management interface of the Cisco SPA100 Series IP phones' firmware, which could be exploited by a remote attacker using a specially crafted request to execute arbitrary code with elevated privileges.

Recommendations For Cisco SPA100 Series Analog Telephone Adapters (ATAs), consider disabling the web-based management interface until a patch is available. Restrict access to the web-based management interface to minimize the risk of exploitation. Avoid using the web-based management interface for critical operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.