Cisco has issued a security advisory warning of multiple vulnerabilities in its Desk Phone 9800 Series, IP Phone 7800 and 8800 Series, and Video Phone 8875 models running Cisco Session Initiation Protocol (SIP) Software.
Published on October 15, 2025, the advisory details risks that could enable unauthenticated remote attackers to trigger denial-of-service (DoS) conditions or cross-site scripting (XSS) attacks via the devices’ web user interface.
These flaws affect phones registered to Cisco Unified Communications Manager (CUCM) with Web Access enabled, a feature disabled by default to minimize exposure.
DoS Vulnerability Poses High Risk To Device Stability
The primary concern is CVE-2025-20350, a high-severity buffer overflow flaw rated at a CVSS 3.1 score of 7.5. This vulnerability arises when affected devices process crafted HTTP packets, potentially causing the phone to reload and disrupt operations.
Attackers need no privileges and can exploit it over the network with low complexity, leading to the temporary unavailability of communication services.
Cisco links this to several bug IDs, including CSCwn51601, emphasizing its impact on enterprise telephony environments. A secondary issue, CVE-2025-20351, introduces a medium-severity XSS vulnerability with a CVSS score of 6.1.
Due to inadequate input validation in the web UI, attackers can inject malicious scripts by tricking users into clicking crafted links.
Successful exploitation could steal session data or manipulate the interface, though it requires user interaction. Associated bugs include CSCwn51683, highlighting persistent weaknesses in web handling.
These vulnerabilities target specific Cisco SIP Software releases across the mentioned phone series, excluding those on Multiplatform Firmware, reads the advisory.
Exploitation hinges on Web Access being active and CUCM registration, conditions not met in standard setups. No public exploits or malicious uses have been reported, but organizations with enabled web features face elevated risks in unified communications networks.
Mitigations
Cisco provides no direct workarounds beyond disabling Web Access through CUCM administration or the Bulk Administration Tool, which administrators can verify by checking the phone’s IP in a browser.
Fixed releases include SIP Software 3.3(1) for Desk Phone 9800 and Video Phone 8875, 14.3(1)SR2 for IP Phone 7800/8800, and 11.0(6)SR7 for IP Phone 8821.
Users should upgrade promptly to avert potential disruptions, as these patches fully address the flaws without impacting core functionality.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
