Login Sign Up

CVE-2023-25437

8.8 HIGH

📋 TL;DR

This vulnerability in vTech VCS754 business phones exposes SIP credentials through cleartext passwords in raw HTML. Attackers can gain escalated privileges and access sensitive information. Affects vTech VCS754 version 1.1.1.A before 1.1.1.H.

💻 Affected Systems

Products:
  • vTech VCS754 business phones
Versions: 1.1.1.A through versions before 1.1.1.H
Operating Systems: Embedded phone system OS
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the web interface of the phones where credentials are exposed in HTML source.

📦 What is this software?

Vcs754a Firmware by Vtech

View all CVEs affecting Vcs754a Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of phone system, unauthorized calls, eavesdropping on communications, and lateral movement to other network systems.

🟠

Likely Case

SIP credential theft leading to unauthorized phone calls, toll fraud, and potential access to voicemail systems.

🟢

If Mitigated

Limited to credential exposure without further system compromise if proper network segmentation and monitoring are in place.

🌐 Internet-Facing: HIGH - If phones are exposed to the internet, attackers can directly exploit this vulnerability remotely.
🏢 Internal Only: MEDIUM - Internal attackers or malware could exploit this to gain credentials and escalate privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires accessing the phone's web interface HTML source where credentials are visible in cleartext.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1.1.H

Vendor Advisory: https://yechiel.xyz/vulnerability-in-vtechs-vcs754a-business-phones-exposes-sip-credentials

Restart Required: Yes

Instructions:

1. Download firmware version 1.1.1.H from vTech support. 2. Upload firmware to phone web interface. 3. Apply update. 4. Reboot phone.

🔧 Temporary Workarounds

Restrict web interface access

linux

Block external access to phone web interfaces using firewall rules.

iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

Change SIP credentials

all

Change SIP passwords to limit exposure if credentials are compromised.

🧯 If You Can't Patch

  • Isolate phones on separate VLAN with strict firewall rules
  • Disable web interface access entirely if not required

🔍 How to Verify

Check if Vulnerable:

Access phone web interface, view page source, search for SIP password fields to see if credentials are in cleartext.

Check Version:

Check phone web interface status page or use: curl -s http://phone-ip/status | grep Firmware

Verify Fix Applied:

After patching, verify credentials are no longer visible in HTML source and check firmware version is 1.1.1.H or later.

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed login attempts to phone web interface
  • Unusual SIP registration attempts from new IPs

Network Indicators:

  • HTTP requests to phone web interfaces from unexpected sources
  • SIP traffic from unauthorized endpoints

SIEM Query:

source="phone-web-logs" AND (url="*password*" OR status=200 AND user_agent="*scanner*")

📊 Metadata

CVE ID: CVE-2023-25437
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-319
Published: April 27, 2023
Last Updated: January 31, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-25437, you might also want to check these:

CVE-2023-33730 9.8

CVE-2023-33730 is a critical privilege escalation vulnerability in Microworld Technologies eScan Man...

Same vulnerability type (CWE-319)
CVE-2022-21829 9.8

This vulnerability in Concrete CMS allows authenticated high-privilege users to download zip files o...

Same vulnerability type (CWE-319)
CVE-2020-5426 9.8

CVE-2020-5426 allows attackers to intercept UAA client tokens transmitted in plaintext over non-TLS ...

Same vulnerability type (CWE-319)