Cisco Desk Phone 9800 Series, IP Phone 7800 and 8800 Series, and Video Phone 8875 Directory Permission Vulnerability Allowing Arbitrary File Write

A vulnerability exists in the directory permissions of Cisco Desk Phone 9800 Series, Cisco IP Phone 7800 and 8800 Series, and Cisco Video Phone 8875, all running Cisco SIP Software. This vulnerability allows an unauthenticated, remote attacker to write arbitrary files on the affected device. The issue arises from inadequate authentication controls, enabling attackers to send crafted requests that exploit this vulnerability. Successful exploitation could result in unauthorized file writes to specific directories within the device's operating system. Notably, Web Access must be enabled on the phone for exploitation to occur, as this feature is disabled by default.

Impact

Exploitation of this vulnerability could lead to unauthorized file writes on the affected device, potentially allowing for the introduction of malicious files or the modification of existing files in a way that could disrupt normal operation or compromise security.

Remediation

Cisco has released software updates to address this vulnerability. Users should consult the Cisco Security Advisories page for information on fixed releases and upgrade instructions.