CVE-2024-20445

Name of the Vulnerable Software and Affected Versions Cisco Desk Phone 9800 Series versions prior to the fixed version Cisco IP Phone 7800 Series versions prior to the fixed version Cisco IP Phone 8800 Series versions prior to the fixed version Cisco Video Phone 8875 versions prior to 14.2(1)SR3

Description A vulnerability in the web UI of the affected devices could allow an unauthenticated, remote attacker to access sensitive information, including incoming and outgoing call records. This issue is due to improper storage of sensitive information within the web UI of Session Initiation Protocol (SIP)-based phone loads. An attacker could exploit this vulnerability by browsing to the IP address of a device that has Web Access enabled.

Recommendations For Cisco Desk Phone 9800 Series, update to a version that contains the fix for this issue. For Cisco IP Phone 7800 Series, update to a version that contains the fix for this issue. For Cisco IP Phone 8800 Series, update to a version that contains the fix for this issue. For Cisco Video Phone 8875, update to version 14.2(1)SR3 or later. As a temporary workaround, consider disabling Web Access on the affected devices until a patch is available.