Cisco Video Phone 8875 and Desk Phone 9800 Series Debug Shell Information Disclosure Vulnerability

A vulnerability exists in the debug shell of Cisco Video Phone 8875 and Cisco Desk Phone 9800 Series. This vulnerability allows an authenticated, local attacker with administrative credentials and SSH access to access sensitive information from the device's underlying operating system. SSH access is disabled by default. The issue arises from inadequate validation of user input by the debug shell, enabling attackers to send crafted SSH client commands through the command-line interface (CLI) to exploit the vulnerability.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive information on the device's operating system.

Remediation

Cisco has released software updates to address this vulnerability. Users should consult the Cisco Security Advisories page for guidance on upgrading. At the time of publication, devices running Cisco SIP IP Phone Software release 3.2(1) and earlier were vulnerable, while those on release 3.3(1) and later were not.