Cisco SPA100 Series Analog Telephone Adapters Running Configuration Information Disclosure Vulnerability
Description
A vulnerability in the web-based management interface of Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, remote attacker to access sensitive information on an affected device. The vulnerability is due to improper restrictions on configuration information. An attacker could exploit this vulnerability by sending a request to an affected device through the web-based management interface. A successful exploit could allow the attacker to return running configuration information that could also include sensitive information.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated disclosure of running configuration via HTTP GET to /a.cfg on Cisco SPA100 Series ATAs, leaking password hashes for privilege escalation.
Vulnerability
A vulnerability in the web-based management interface of Cisco SPA100 Series Analog Telephone Adapters (ATAs) allows an authenticated, remote attacker to access sensitive configuration information [2]. The flaw stems from improper restrictions on configuration information. Affected products are Cisco SPA100 Series ATAs running firmware releases 1.4.1 SR3 and earlier [2].
Exploitation
An attacker with valid credentials can retrieve the device’s running configuration by sending an HTTP GET request to /a.cfg [1]. The returned configuration file is encoded but can be trivially decoded, revealing the administrator password hash (MD5) and the Cisco hash [1]. No user interaction beyond authentication is required; the attacker can directly make the request from a network position that can reach the device's web interface.
Impact
A successful exploit discloses the administrator password hash, which an attacker can use to escalate privileges on the device [1][2]. Combined with offline cracking of the hash, this could lead to full administrative control of the ATA, potentially enabling further attacks such as call interception or device manipulation.
Mitigation
Cisco released firmware version 1.4.2 SR1 or later to address this vulnerability (patched in October 2019) [2]. No workarounds are available [2]. Users should upgrade to the fixed firmware and ensure devices are not exposed to untrusted networks. The vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Improper restrictions on configuration information allow an authenticated attacker to retrieve the NVRAM configuration, including sensitive password hashes, via the /a.cfg endpoint."
Attack vector
An authenticated attacker sends an HTTP GET request to the `/a.cfg` endpoint on the affected device [ref_id=1]. The device returns an encoded copy of the NVRAM configuration, which is trivial to decode and includes the admin password hash and the cisco hash [ref_id=1]. The attacker can then use these hashes to escalate privileges or log in as an administrator. The only precondition is that the attacker must already have authenticated access to the web-based management interface.
Affected code
The vulnerability is in the web-based management interface of Cisco SPA100 Series ATAs. The advisory identifies that performing an HTTP GET for `/a.cfg` returns an encoded copy of the NVRAM configuration [ref_id=1]. No specific source file or function name is provided in the bundle.
What the fix does
The advisory does not include a patch or remediation details. It only describes the vulnerability: the `/a.cfg` endpoint improperly exposes the NVRAM configuration, including sensitive password hashes, to authenticated users [ref_id=1]. The fix would likely involve restricting access to the configuration backup endpoint or removing sensitive credentials from the returned configuration data.
Preconditions
- authAttacker must have valid authenticated access to the web-based management interface of the Cisco SPA100 device.
Reproduction
Send an authenticated HTTP GET request to `/a.cfg` on the target device. The response will contain an encoded copy of the NVRAM configuration, which can be trivially decoded to reveal the admin password hash and cisco hash [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-running-configmitrevendor-advisoryx_refsource_CISCO
- www.tenable.com/security/research/tra-2019-44mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.