CVE-2024-20533
📋 TL;DR
This stored cross-site scripting (XSS) vulnerability in Cisco phone web UIs allows an authenticated remote attacker with admin credentials to inject malicious scripts, potentially stealing sensitive data or performing unauthorized actions. It affects Cisco Desk Phone 9800 Series, IP Phone 6800/7800/8800 Series, and Video Phone 8875 with Multiplatform Firmware when Web Access is enabled. Web Access is disabled by default, limiting exposure.
💻 Affected Systems
- Cisco Desk Phone 9800 Series
- Cisco IP Phone 6800 Series
- Cisco IP Phone 7800 Series
- Cisco IP Phone 8800 Series
- Cisco Video Phone 8875
📦 What is this software?
Desk Phone 9841 With Multiplatform Firmware by Cisco
View all CVEs affecting Desk Phone 9841 With Multiplatform Firmware →
Desk Phone 9841 With Multiplatform Firmware by Cisco
View all CVEs affecting Desk Phone 9841 With Multiplatform Firmware →
Desk Phone 9851 With Multiplatform Firmware by Cisco
View all CVEs affecting Desk Phone 9851 With Multiplatform Firmware →
Desk Phone 9851 With Multiplatform Firmware by Cisco
View all CVEs affecting Desk Phone 9851 With Multiplatform Firmware →
Desk Phone 9861 With Multiplatform Firmware by Cisco
View all CVEs affecting Desk Phone 9861 With Multiplatform Firmware →
Desk Phone 9861 With Multiplatform Firmware by Cisco
View all CVEs affecting Desk Phone 9861 With Multiplatform Firmware →
Desk Phone 9871 With Multiplatform Firmware by Cisco
View all CVEs affecting Desk Phone 9871 With Multiplatform Firmware →
Desk Phone 9871 With Multiplatform Firmware by Cisco
View all CVEs affecting Desk Phone 9871 With Multiplatform Firmware →
Ip Phone 6821 With Multiplatform Firmware by Cisco
View all CVEs affecting Ip Phone 6821 With Multiplatform Firmware →
Ip Phone 6841 With Multiplatform Firmware by Cisco
View all CVEs affecting Ip Phone 6841 With Multiplatform Firmware →
Ip Phone 6851 With Multiplatform Firmware by Cisco
View all CVEs affecting Ip Phone 6851 With Multiplatform Firmware →
Ip Phone 6861 With Multiplatform Firmware by Cisco
View all CVEs affecting Ip Phone 6861 With Multiplatform Firmware →
Ip Phone 6871 With Multiplatform Firmware by Cisco
View all CVEs affecting Ip Phone 6871 With Multiplatform Firmware →
Ip Phone 7811 With Multiplatform Firmware by Cisco
View all CVEs affecting Ip Phone 7811 With Multiplatform Firmware →
Ip Phone 7821 With Multiplatform Firmware by Cisco
View all CVEs affecting Ip Phone 7821 With Multiplatform Firmware →
Ip Phone 7832 With Multiplatform Firmware by Cisco
View all CVEs affecting Ip Phone 7832 With Multiplatform Firmware →
Ip Phone 7841 With Multiplatform Firmware by Cisco
View all CVEs affecting Ip Phone 7841 With Multiplatform Firmware →
Ip Phone 7861 With Multiplatform Firmware by Cisco
View all CVEs affecting Ip Phone 7861 With Multiplatform Firmware →
Ip Phone 8811 With Multiplatform Firmware by Cisco
View all CVEs affecting Ip Phone 8811 With Multiplatform Firmware →
Ip Phone 8831 With Multiplatform Firmware by Cisco
View all CVEs affecting Ip Phone 8831 With Multiplatform Firmware →
Ip Phone 8832 With Multiplatform Firmware by Cisco
View all CVEs affecting Ip Phone 8832 With Multiplatform Firmware →
Ip Phone 8841 With Multiplatform Firmware by Cisco
View all CVEs affecting Ip Phone 8841 With Multiplatform Firmware →
Ip Phone 8845 With Multiplatform Firmware by Cisco
View all CVEs affecting Ip Phone 8845 With Multiplatform Firmware →
Ip Phone 8851 With Multiplatform Firmware by Cisco
View all CVEs affecting Ip Phone 8851 With Multiplatform Firmware →
Ip Phone 8861 With Multiplatform Firmware by Cisco
View all CVEs affecting Ip Phone 8861 With Multiplatform Firmware →
Ip Phone 8865 With Multiplatform Firmware by Cisco
View all CVEs affecting Ip Phone 8865 With Multiplatform Firmware →
Video Phone 8875 With Multiplatform Firmware by Cisco
View all CVEs affecting Video Phone 8875 With Multiplatform Firmware →
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains admin access, executes arbitrary scripts to steal credentials, manipulate phone settings, or pivot to other network systems.
Likely Case
Limited impact due to need for admin credentials and enabled Web Access; possible data theft or session hijacking if exploited.
If Mitigated
Minimal risk if Web Access is disabled or patched; attacker cannot exploit without admin access.
🎯 Exploit Status
Exploitation requires admin access and enabled Web Access, reducing likelihood.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to Cisco advisory for specific fixed versions.
Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-mpp-xss-8tAV2TvF
Restart Required: Yes
Instructions:
1. Check current firmware version on affected phones. 2. Download and apply the patched firmware from Cisco. 3. Restart phones to apply changes. 4. Verify update via web UI or CLI.
🔧 Temporary Workarounds
Disable Web Access
allTurn off Web Access on affected phones to prevent remote exploitation.
Access phone admin interface, navigate to Network Settings > Web Access, set to Disabled.
🧯 If You Can't Patch
- Disable Web Access on all affected phones to block remote attacks.
- Restrict network access to phone admin interfaces using firewalls or VLANs.
🔍 How to Verify
Check if Vulnerable:
Check if Web Access is enabled and firmware version matches vulnerable range in Cisco advisory.Check Version:
Access phone web UI or use CLI command 'show version' to check firmware details.Verify Fix Applied:
Confirm firmware version is updated to patched version listed in advisory and Web Access status.📡 Detection & Monitoring
Log Indicators:
- Unusual admin login attempts or script injections in web UI logs.
Network Indicators:
- Suspicious HTTP requests to phone admin pages with script payloads.
SIEM Query:
Search for POST requests to phone admin interfaces containing script tags or encoded payloads.