Unrated severityNVD Advisory· Published Oct 16, 2019· Updated Nov 20, 2024

Cisco SPA100 Series Analog Telephone Adapters Remote Code Execution Vulnerabilities

CVE-2019-15249

Description

Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cisco SPA100 Series ATAs contain input validation flaws allowing authenticated adjacent attackers to execute arbitrary code with elevated privileges.

Vulnerability

The vulnerabilities reside in the web-based management interface of Cisco SPA100 Series Analog Telephone Adapters (ATAs). They are due to improper validation of user-supplied input. All firmware versions prior to the fixed release are affected. [1]

Exploitation

An attacker must be authenticated to the web-based management interface and have adjacent network access. The attacker then sends crafted HTTP requests to the device. The web interface is enabled by default, so no prior configuration is required. [1]

Impact

Successful exploitation allows the attacker to execute arbitrary code with elevated privileges on the affected device, potentially gaining full control. [1]

Mitigation

Cisco has released firmware updates to address these vulnerabilities. Customers should upgrade to the latest firmware version available from Cisco. No workarounds are mentioned. [1]

References

Cisco Security Advisory: Multiple Cisco Analog Telephone Adapters Remote Code Execution Vulnerabilities

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Cisco Systems, Inc./SPA100 Series Analog Telephone Adaptersllm-fuzzy
Cisco Systems, Inc./SPA112 2-Port Phone Adaptercpe-rescue
Range: unspecified

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-rcemitrevendor-advisoryx_refsource_CISCO

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000