Cisco SPA100 Series Analog Telephone Adapters Remote Code Execution Vulnerabilities
Description
Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated adjacent attacker can execute arbitrary code on Cisco SPA100 ATAs via crafted requests to the web interface.
Vulnerability
The vulnerability resides in the web-based management interface of Cisco SPA100 Series Analog Telephone Adapters (ATAs). Improper validation of user-supplied input allows an authenticated, adjacent attacker to trigger arbitrary code execution. The web-based management interface is enabled by default. All firmware versions prior to the fixed release are affected [1].
Exploitation
An attacker must be on the same network segment as the target device (adjacent) and possess valid credentials for the web-based management interface. After authenticating, the attacker sends specially crafted HTTP requests to the device. No additional user interaction is required [1].
Impact
Successful exploitation grants the attacker arbitrary code execution with elevated privileges, potentially leading to full compromise of the ATA device, including disclosure of sensitive information, modification of configuration, or denial of service [1].
Mitigation
Cisco has released free software updates to address this vulnerability. Customers should upgrade to the latest fixed firmware version for their SPA100 series device. No workarounds are available. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-rcemitrevendor-advisoryx_refsource_CISCO
News mentions
0No linked articles in our index yet.