Unrated severityNVD Advisory· Published Oct 16, 2019· Updated Nov 20, 2024

Cisco SPA100 Series Analog Telephone Adapters Remote Code Execution Vulnerabilities

CVE-2019-15245

Description

Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Authenticated adjacent attacker can execute arbitrary code with elevated privileges on Cisco SPA100 Series ATAs via crafted requests to the web interface.

Vulnerability

The Cisco SPA100 Series Analog Telephone Adapters (ATAs) contain multiple vulnerabilities in the web-based management interface due to improper validation of user-supplied input. The web interface is enabled by default. Affected versions include firmware releases before the fixed version ([1]).

Exploitation

An attacker must be able to authenticate to the web-based management interface and must be on the same adjacent network. The attacker then sends crafted HTTP requests to the device to trigger the vulnerability ([1]).

Impact

Successful exploitation allows the attacker to execute arbitrary code with elevated privileges on the affected device, leading to full compromise of the ATA ([1]).

Mitigation

Cisco has released free software updates to address these vulnerabilities. Customers should upgrade to the fixed firmware version as indicated in the Cisco Security Advisory [1]. There is no mention of the device being on the KEV list.

References

Cisco Security Advisory: Multiple Cisco Analog Telephone Adapters Remote Code Execution Vulnerabilities

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Cisco Systems, Inc./SPA100 Series Analog Telephone Adaptersllm-fuzzy
Cisco Systems, Inc./SPA112 2-Port Phone Adaptercpe-rescue
Range: unspecified

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-rcemitrevendor-advisoryx_refsource_CISCO

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000