There is remote control API avaiable on every phone on http://<ip>/CGI/Execute
It allow remote user to order the phone to dial any number, you can simulate key press, e.g. you can change anything accesible via phone menu and so on.
Such API is open by default in SIP mode - no authentication is required.
Such API is not mentioned in Administrator guide, so admin may not be aware of it. As result - any attacker with physical access to ethernet plug connected to phone network can order any other phone connected to such network to dial any number. As it's documented nowhere, most networks didn't changed default to something more secure. Bill fraud is immitent.
Access to /CGI/Execute can be restricted by 'CISCO_XML_EXE_Auth_Mode' option, but it's not documented. Unauthorized description based on observations can be read here: CiscoIPPhoneExecute Dial but note that it will broke access to WWW UI, see Broken WWW UI on SPA504G
All SPA5xx, SPA3xx, SPA1xx and SPA2xx with current firmware seems to be affected by the issue (it doesn't mean that older firmwares are not vulnerable, I just didn't do test on them).
disable all inter-phone network conectivity on switch (our way, it require switch it can do it)
configure CISCO_XML_EXE_Auth_Mode value (but WWW UI become unusable then)
Because bill fraud may occur, it needs to be considered severe security incident.
QuestionDear All,I'm currently looking for firmware version 188.8.131.52 for Linksys SPA400 Analog Telephony Gateway. Unfortunately, my device was bricked and I was able to recover it using a recovery tool and recovery firmware version 184.108.40.206 but can't find v...
Change in ASD Automatic Software Download Feature
Dec 13th, 2019
Cisco RV160, 260, 340, and 345 Series Routers
Due to an API change in Cisco’s software download platform the Automatic Download Feature (ASD) on RV series routers will be temporarily ...
SFP Module Support List for RV160x and RV260x Devices
Small form-factor pluggable (SFP) ports are included on the RV160 and 260 routers to allow the use of optical SFP transceiver modules. SFP’s convert the optical signals to electrical signals. SFP’s al...
Welcome and thanks for visiting the Small Business Community Newsletter. This is our first of what we will make a monthly newsletter where you will be provided information on New products and trends, What’s ...