Showing results for 
Search instead for 
Did you mean: 

Get the latest Cisco news in this February issue of the Cisco Small Business Monthly Newsletter


Dangerous default, bill fraud may occur

There is remote control API avaiable on every phone on http://<ip>/CGI/Execute

It allow remote user to order the phone to dial any number, you can simulate key press, e.g. you can change anything accesible via phone menu and so on.

Such API is open by default in SIP mode - no authentication is required.

Such API is not mentioned in Administrator guide, so admin may not be aware of it. As result - any attacker with physical access to ethernet plug connected to phone network can order any other phone connected to such network to dial any number. As it's documented nowhere, most networks didn't  changed default to something more secure. Bill fraud is immitent.

Access to /CGI/Execute can be restricted by 'CISCO_XML_EXE_Auth_Mode' option, but it's not documented. Unauthorized description based on observations can be read here: CiscoIPPhoneExecute Dial but note that it will broke access to WWW UI, see Broken WWW UI on SPA504G

All SPA5xx, SPA3xx, SPA1xx and SPA2xx with current firmware seems to be affected by the issue (it doesn't mean that older firmwares are not vulnerable, I just didn't do test on them).


  1.   disable all inter-phone network conectivity on switch (our way, it require switch it can do it)
  2.   configure CISCO_XML_EXE_Auth_Mode value (but WWW UI become unusable then)

Because bill fraud may occur, it needs to be considered severe security incident.

Phones in SPCP mode has not been analyzed.

Everyone's tags (4)

The Broken WWW UI issue has

The Broken WWW UI issue has been solved in 7.5.6 firmware.

But API is still wide open by default making phone to be vulnerable.


See also: Bug in the latest spa3XX-5XXG phone firmware 7.5.6 - Can not transfer anonymous calls


Updated: see CSCuo52482, seems to be solved in 7.5.7s



Note that default value of

Note that default value of CISCO_XML_EXE_Auth_Mode has been changed from Trusted to Local Credential in 7.5.7s firmware.

Also, CISCO_XML_EXE_Enable with default value of No has been introduced in the same version.

See also: Added/removed/changed XML tags between N and M firmware of SPA50x