Cisco SPA100 Series Analog Telephone Adapters Administrative Credentials Information Disclosure Vulnerability
Description
A vulnerability in the web-based management interface of Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, remote attacker to access sensitive information on an affected device. The vulnerability is due to unsafe handling of user credentials. An attacker could exploit this vulnerability by viewing portions of the web-based management interface of an affected device. A successful exploit could allow the attacker to access administrative credentials and potentially gain elevated privileges by reusing stolen credentials on the affected device.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An authenticated attacker can retrieve admin password hashes from Cisco SPA100 Series ATAs via a crafted POST request, leading to privilege escalation.
Vulnerability
The vulnerability resides in the web-based management interface of Cisco SPA100 Series Analog Telephone Adapters (ATAs). Due to unsafe handling of user credentials, an authenticated attacker can retrieve administrative password hashes by sending a crafted POST request to the apply.cgi endpoint with the submit_button parameter set to User_Level [1]. This affects firmware releases 1.4.1 SR3 and earlier [2].
Exploitation
An attacker must have authenticated access to the web interface (any user level). The exploit involves sending a POST request to apply.cgi with submit_button=User_Level and change_action=gozila_cgi. The response body contains the administrator password hash, which can be extracted without additional privileges [1].
Impact
Successful exploitation allows the attacker to obtain the administrator password hash. This hash can be cracked offline or reused to gain elevated privileges on the affected device, potentially leading to full administrative control [1][2].
Mitigation
Cisco has released firmware updates to address this vulnerability; users should upgrade to the latest firmware version. No workarounds are available [2]. At the time of publication, no fix was listed in the CISA Known Exploited Vulnerabilities catalog.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Unsafe handling of user credentials: the `apply.cgi` handler renders an arbitrary ASP page when `submit_button=User_Level`, leaking the administrator password hashes in the response."
Attack vector
An authenticated attacker sends a crafted POST request to `/apply.cgi` with the parameter `submit_button=User_Level` and `change_action=gozila_cgi` [ref_id=1]. The device's web-based management interface does not restrict which ASP page is rendered based on the `submit_button` value, causing it to return the admin password hashes in the HTTP response body [ref_id=1]. An attacker who obtains these hashes can crack them offline or reuse them to gain administrative privileges on the device [ref_id=1].
Affected code
The vulnerability exists in the `apply.cgi` CGI handler of the Cisco SPA100 Series firmware. When a POST request is sent to `apply.cgi` with a `submit_button` value of `'User_Level'`, the device renders an arbitrary ASP page that includes the administrator password hashes in the response body [ref_id=1].
What the fix does
The advisory does not include a patch diff, but the remediation guidance is implied by the nature of the vulnerability: the device must validate that the `submit_button` parameter only triggers authorized ASP page renders and must not expose credential hashes in the response body [ref_id=1]. Cisco has released firmware updates for the SPA100 Series that address this and the other disclosed vulnerabilities; users should upgrade to the latest firmware version [ref_id=1].
Preconditions
- authAttacker must have valid authentication credentials for the web-based management interface
- networkAttacker must have network access to the device's management interface
- inputAttacker sends a POST request with submit_button=User_Level
Reproduction
```bash curl -i -s -k -X $'POST' \ -H $'Host:
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-credentialsmitrevendor-advisoryx_refsource_CISCO
- www.tenable.com/security/research/tra-2019-44mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.