Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-15959

A vulnerability in Cisco Small Business SPA500 Series IP Phones could allow a physically proximate attacker to execute arbitrary commands on the device. The vulnerability is due to the presence of development testing and verification scripts that remained on the device. An attacker could exploit this vulnerability by accessing the physical interface of a device and inserting a USB storage device. A successful exploit could allow the attacker to execute scripts on the device in an elevated security context.

Published

2020-09-23T01:15:12.863

Last Modified

2024-11-21T04:29:49.480

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.6 (MEDIUM)

CVSSv2 Vector

AV:L/AC:L/Au:N/C:P/I:P/A:P

Access Vector: LOCAL
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

3.9

Impact Score

6.4

Weaknesses

Type: Secondary
CWE-20
Type: Primary
CWE-20

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Operating System	cisco	spa500_series_ip_phones_firmware	≤ 7.5.7\(5\)	Yes
Hardware	cisco	spa500ds	-	No
Hardware	cisco	spa500s	-	No
Hardware	cisco	spa501g	-	No
Hardware	cisco	spa502g	-	No
Hardware	cisco	spa504g	-	No
Hardware	cisco	spa512g	-	No
Hardware	cisco	spa514g	-	No
Hardware	cisco	spa525g	-	No
Hardware	cisco	spa525g2	-	No

References

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191106-spa500-script Vendor Advisory ([email protected])
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191106-spa500-script Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)