Cisco SPA100 Series Analog Telephone Adapters Remote Code Execution Vulnerabilities

Vulnerability

Multiple vulnerabilities exist in the web-based management interface of Cisco SPA100 Series Analog Telephone Adapters (ATAs), including models 112, 122, 132, 232D, 525G, and 525G2. The flaws are rooted in improper validation of user-supplied input. An attacker must first authenticate to the web interface (which is enabled by default) and then send crafted HTTP requests to the device. Affected firmware versions up to and including 1.3.1.6 are vulnerable [1].

Exploitation

An attacker needs to be in the same adjacent network segment as the target ATA and must possess valid administrative credentials for the web-based management interface. Once authenticated, the attacker crafts and submits specially crafted HTTP requests to the web interface, which bypass input validation. The exploitation does not require user interaction from the victim after the initial authentication [1].

Impact

Successful exploitation allows the attacker to execute arbitrary commands on the underlying operating system with elevated (root) privileges. This can result in complete compromise of the affected device, including potential disclosure of sensitive data, modification of device configuration, denial of service, or use as a pivot point for further network attacks [1].

Mitigation

Cisco released fixed firmware versions to address these vulnerabilities. The fixed releases are: SPA112 ATA version 1.4.1.19 or later, SPA122 ATA version 1.5.1.5 or later, SPA132 ATA version 1.4.1.2 or later, SPA232D ATA version 1.5.1.5 or later, SPA525G and SPA525G2 ATA version 1.5.2.1 or later. There are no workarounds; the only mitigation is upgrading to the fixed firmware [1].