CVE-2025-20335

Q: What is the severity of CVE-2025-20335?

CVE-2025-20335 has a CVSS score of 5.3 (MEDIUM). An authentication bypass vulnerability in Cisco desk and IP phones allows unauthenticated remote attackers to write arbitrary files to specific directories when web access is enabled. This affects Cisco Desk Phone 9800 Series, IP Phone 7800/8800 Series, and Video Phone 8875. Web access is disabled by default, limiting exposure.

5.3 MEDIUM

Authentication Bypass

📋 TL;DR

An authentication bypass vulnerability in Cisco desk and IP phones allows unauthenticated remote attackers to write arbitrary files to specific directories when web access is enabled. This affects Cisco Desk Phone 9800 Series, IP Phone 7800/8800 Series, and Video Phone 8875. Web access is disabled by default, limiting exposure.

💻 Affected Systems

Products:

Cisco Desk Phone 9800 Series
Cisco IP Phone 7800 Series
Cisco IP Phone 8800 Series
Cisco Video Phone 8875

Versions: All versions prior to patch

Operating Systems: Cisco Phone OS

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when Web Access feature is enabled (disabled by default)

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing persistence, credential theft, or lateral movement within the network

🟠

Likely Case

Service disruption, configuration modification, or installation of malicious scripts

🟢

If Mitigated

No impact if web access remains disabled or proper network segmentation is in place

🌐 Internet-Facing: MEDIUM - Requires web access enabled and direct internet exposure

🏢 Internal Only: LOW - Requires internal attacker with network access to vulnerable phones

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Requires crafted HTTP request to vulnerable endpoint when web access enabled

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Cisco advisory for specific firmware versions

Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-phone-write-g3kcC5Df

Restart Required: No

Instructions:

1. Access Cisco advisory 2. Download appropriate firmware for your phone model 3. Upload firmware via phone administration interface 4. Apply update without restart required

🔧 Temporary Workarounds

Disable Web Access

all

Disable the web access feature on all affected phones

Navigate to Phone Settings > Security > Web Access > Disable

🧯 If You Can't Patch

Disable web access on all affected phones
Implement network segmentation to isolate phones from untrusted networks

🔍 How to Verify

Check if Vulnerable:

Check if web access is enabled on phone and firmware version is unpatched

Check Version:

Check phone information via Settings > Status > Firmware Version

Verify Fix Applied:

Verify firmware version matches patched version in Cisco advisory and web access remains disabled

📡 Detection & Monitoring

Log Indicators:

Unusual file write operations in phone logs
Multiple failed authentication attempts followed by successful file writes

Network Indicators:

HTTP requests to phone web interface from unexpected sources
Unusual outbound connections from phones

SIEM Query:

source="cisco-phone" AND (event="file_write" OR event="web_access")

📊 Metadata

CVE ID: CVE-2025-20335

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-284

EPSS Score: 0.06% exploit probability (17th percentile)

Published: September 3, 2025

Last Updated: January 5, 2026

🔗 References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-phone-write-g3kcC5Df Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Desk Phone 9841 Firmware by Cisco

Desk Phone 9851 Firmware by Cisco

Desk Phone 9861 Firmware by Cisco

Desk Phone 9871 Firmware by Cisco

Ip Phone 7811 Firmware by Cisco

Ip Phone 7811 Firmware by Cisco

Ip Phone 7811 Firmware by Cisco

Ip Phone 7821 Firmware by Cisco

Ip Phone 7821 Firmware by Cisco

Ip Phone 7821 Firmware by Cisco

Ip Phone 7841 Firmware by Cisco

Ip Phone 7841 Firmware by Cisco

Ip Phone 7841 Firmware by Cisco

Ip Phone 7861 Firmware by Cisco

Ip Phone 7861 Firmware by Cisco

Ip Phone 7861 Firmware by Cisco

Ip Phone 8811 Firmware by Cisco

Ip Phone 8811 Firmware by Cisco

Ip Phone 8811 Firmware by Cisco

Ip Phone 8821 Firmware by Cisco

Ip Phone 8821 Firmware by Cisco

Ip Phone 8821 Firmware by Cisco

Ip Phone 8821 Firmware by Cisco

Ip Phone 8821 Firmware by Cisco

Ip Phone 8821 Firmware by Cisco

Ip Phone 8821 Firmware by Cisco

Ip Phone 8841 Firmware by Cisco

Ip Phone 8841 Firmware by Cisco

Ip Phone 8841 Firmware by Cisco

Ip Phone 8845 Firmware by Cisco

Ip Phone 8845 Firmware by Cisco

Ip Phone 8845 Firmware by Cisco

Ip Phone 8851 Firmware by Cisco

Ip Phone 8851 Firmware by Cisco

Ip Phone 8851 Firmware by Cisco

Ip Phone 8851nr Firmware by Cisco

Ip Phone 8851nr Firmware by Cisco

Ip Phone 8851nr Firmware by Cisco

Ip Phone 8861 Firmware by Cisco

Ip Phone 8861 Firmware by Cisco

Ip Phone 8861 Firmware by Cisco

Ip Phone 8865 Firmware by Cisco

Ip Phone 8865 Firmware by Cisco

Ip Phone 8865 Firmware by Cisco

Video Phone 8875 Firmware by Cisco

Video Phone 8875 Firmware by Cisco

Video Phone 8875 Firmware by Cisco

Video Phone 8875 Firmware by Cisco

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Web Access

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities