Cisco SPA100 Series Analog Telephone Adapters Web Management Interface Denial of Service Vulnerability
Description
A vulnerability in the web-based management interface of Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is due to improper validation of user-supplied requests to the web-based management interface. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface of an affected device. A successful exploit could allow the attacker to cause the device to stop responding, requiring manual intervention for recovery.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An authenticated remote attacker can cause a denial of service on Cisco SPA100 Series ATAs via a crafted request to the web management interface.
Vulnerability
The vulnerability exists in the web-based management interface of Cisco SPA100 Series Analog Telephone Adapters (ATAs). It is due to improper validation of user-supplied requests. An authenticated remote attacker can send a crafted request to the web interface, causing a denial of service. Affected firmware versions are 1.4.1 SR3 and earlier [2].
Exploitation
An attacker must have valid credentials to access the web-based management interface. The attacker sends a specially crafted HTTP POST request to the device. No additional privileges or user interaction beyond authentication are required. The exact request parameters are not publicly detailed, but the vulnerability can be triggered without complex steps [2].
Impact
Successful exploitation causes the device to stop responding, resulting in a denial of service condition. The device requires manual intervention (e.g., power cycle) to recover. No data is compromised, but availability is affected [2].
Mitigation
Cisco has released firmware updates to address this vulnerability. Users should upgrade to the latest available firmware for their device. There are no workarounds that mitigate the issue [2]. At the time of publication, no known public exploit code exists.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing validation of the help_idx parameter in the apply.cgi handler leads to a null pointer dereference when help_page is provided without help_idx."
Attack vector
An authenticated, remote attacker sends a crafted POST request to `/apply.cgi` with `submit_button=help/help`, `submit_type=fav_add`, and a value for `help_page` while omitting the `help_idx` parameter [ref_id=1]. The missing `help_idx` causes a null pointer dereference in the httpd process, crashing the web server and requiring a manual device reboot to restore service [ref_id=1]. No special network position is required beyond network access to the device's web interface.
Affected code
The vulnerability resides in the `apply.cgi` web handler on Cisco SPA100 Series ATAs. When processing a POST request with `submit_button=help/help` and `submit_type=fav_add`, the handler reads the `help_page` parameter but fails to validate the presence of a corresponding `help_idx` parameter [ref_id=1].
What the fix does
The advisory does not include a patch diff or specific fix details. Cisco's remediation guidance for this vulnerability typically involves applying a firmware update that adds proper validation of the `help_idx` parameter before dereferencing it, preventing the null pointer dereference [ref_id=1]. Without the patch, the only workaround is to restrict access to the web-based management interface to trusted users.
Preconditions
- authAttacker must have valid credentials to authenticate to the web-based management interface
- networkAttacker must have network access to the device's web interface (typically TCP port 80 or 443)
- inputThe crafted POST request must include help_page but omit help_idx
Reproduction
curl -i -s -k -X $'POST' -H $'Host: 192.168.1.123' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 93' --data-binary $'submit_button=help/help&submit_type=fav_add&change_action=gozila_cgi&help_page=1' $'http://192.168.1.123/apply.cgi;session_id=a534c87e1fe5d0f49498cd9cbed1d4cd' [ref_id=1]
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-webui-dosmitrevendor-advisoryx_refsource_CISCO
- www.tenable.com/security/research/tra-2019-44mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.