CVE-2025-20350
BaseFortify
Publication date: 2025-10-15
Last updated on: 2025-12-04
Assigner: Cisco Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cisco | desk_phone_9871_firmware | From 3.0\(1\) (inc) to 3.2\(1\) (inc) |
| cisco | desk_phone_9871 | * |
| cisco | desk_phone_9841_firmware | From 3.0\(1\) (inc) to 3.2\(1\) (inc) |
| cisco | desk_phone_9841 | * |
| cisco | desk_phone_9851_firmware | From 3.0\(1\) (inc) to 3.2\(1\) (inc) |
| cisco | desk_phone_9851 | * |
| cisco | desk_phone_9861_firmware | From 3.0\(1\) (inc) to 3.2\(1\) (inc) |
| cisco | desk_phone_9861 | * |
| cisco | ip_phone_8865_firmware | to 14.3\(1\) (exc) |
| cisco | ip_phone_8865_firmware | 14.3\(1\) |
| cisco | ip_phone_8865_firmware | 14.3\(1\) |
| cisco | ip_phone_8865 | * |
| cisco | ip_phone_7811_firmware | to 14.3\(1\) (exc) |
| cisco | ip_phone_7811_firmware | 14.3\(1\) |
| cisco | ip_phone_7811_firmware | 14.3\(1\) |
| cisco | ip_phone_7811 | * |
| cisco | ip_phone_7821_firmware | to 14.3\(1\) (exc) |
| cisco | ip_phone_7821_firmware | 14.3\(1\) |
| cisco | ip_phone_7821_firmware | 14.3\(1\) |
| cisco | ip_phone_7821 | * |
| cisco | ip_phone_7841_firmware | to 14.3\(1\) (exc) |
| cisco | ip_phone_7841_firmware | 14.3\(1\) |
| cisco | ip_phone_7841_firmware | 14.3\(1\) |
| cisco | ip_phone_7841 | * |
| cisco | ip_phone_7861_firmware | to 14.3\(1\) (exc) |
| cisco | ip_phone_7861_firmware | 14.3\(1\) |
| cisco | ip_phone_7861_firmware | 14.3\(1\) |
| cisco | ip_phone_7861 | * |
| cisco | ip_phone_8811_firmware | to 14.3\(1\) (exc) |
| cisco | ip_phone_8811_firmware | 14.3\(1\) |
| cisco | ip_phone_8811_firmware | 14.3\(1\) |
| cisco | ip_phone_8811 | * |
| cisco | ip_phone_8832_firmware | to 14.3\(1\) (exc) |
| cisco | ip_phone_8832_firmware | 14.3\(1\) |
| cisco | ip_phone_8832_firmware | 14.3\(1\) |
| cisco | ip_phone_8832 | * |
| cisco | ip_phone_8841_firmware | to 14.3\(1\) (exc) |
| cisco | ip_phone_8841_firmware | 14.3\(1\) |
| cisco | ip_phone_8841_firmware | 14.3\(1\) |
| cisco | ip_phone_8841 | * |
| cisco | ip_phone_8845_firmware | to 14.3\(1\) (exc) |
| cisco | ip_phone_8845_firmware | 14.3\(1\) |
| cisco | ip_phone_8845_firmware | 14.3\(1\) |
| cisco | ip_phone_8845 | * |
| cisco | ip_phone_8851_firmware | to 14.3\(1\) (exc) |
| cisco | ip_phone_8851_firmware | 14.3\(1\) |
| cisco | ip_phone_8851_firmware | 14.3\(1\) |
| cisco | ip_phone_8851 | * |
| cisco | ip_phone_8861_firmware | to 14.3\(1\) (exc) |
| cisco | ip_phone_8861_firmware | 14.3\(1\) |
| cisco | ip_phone_8861_firmware | 14.3\(1\) |
| cisco | ip_phone_8861 | * |
| cisco | video_phone_8875_firmware | to 2.3\(1\) (exc) |
| cisco | video_phone_8875_firmware | From 3.0\(1\) (inc) to 3.2\(1\) (inc) |
| cisco | video_phone_8875_firmware | 2.3\(1\) |
| cisco | video_phone_8875_firmware | 2.3\(1\) |
| cisco | video_phone_8875 | * |
| cisco | ip_phone_8821_firmware | to 11.0\(1\) (exc) |
| cisco | ip_phone_8821_firmware | 11.0\(0.7\) |
| cisco | ip_phone_8821_firmware | 11.0\(1\) |
| cisco | ip_phone_8821_firmware | 11.0\(2\) |
| cisco | ip_phone_8821_firmware | 11.0\(2\) |
| cisco | ip_phone_8821_firmware | 11.0\(2\) |
| cisco | ip_phone_8821_firmware | 11.0\(3\) |
| cisco | ip_phone_8821_firmware | 11.0\(3\) |
| cisco | ip_phone_8821_firmware | 11.0\(3\) |
| cisco | ip_phone_8821_firmware | 11.0\(3\) |
| cisco | ip_phone_8821_firmware | 11.0\(3\) |
| cisco | ip_phone_8821_firmware | 11.0\(3\) |
| cisco | ip_phone_8821_firmware | 11.0\(3\) |
| cisco | ip_phone_8821_firmware | 11.0\(4\) |
| cisco | ip_phone_8821_firmware | 11.0\(4\) |
| cisco | ip_phone_8821_firmware | 11.0\(4\) |
| cisco | ip_phone_8821_firmware | 11.0\(4\) |
| cisco | ip_phone_8821_firmware | 11.0\(5\) |
| cisco | ip_phone_8821_firmware | 11.0\(5\) |
| cisco | ip_phone_8821_firmware | 11.0\(5\) |
| cisco | ip_phone_8821_firmware | 11.0\(5\) |
| cisco | ip_phone_8821_firmware | 11.0\(6\) |
| cisco | ip_phone_8821_firmware | 11.0\(6\) |
| cisco | ip_phone_8821_firmware | 11.0\(6\) |
| cisco | ip_phone_8821_firmware | 11.0\(6\) |
| cisco | ip_phone_8821_firmware | 11.0\(6\) |
| cisco | ip_phone_8821_firmware | 11.0\(6\) |
| cisco | ip_phone_8821 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a buffer overflow in the web UI of certain Cisco Desk Phones and Video Phones running Cisco SIP Software. It occurs when the device processes specially crafted HTTP packets, which can cause the device to reload unexpectedly, leading to a denial of service (DoS) condition. Exploitation requires the phone to be registered to Cisco Unified Communications Manager and have Web Access enabled, which is disabled by default.
How can this vulnerability impact me? :
An attacker could exploit this vulnerability remotely without authentication to cause the affected device to reload, resulting in a denial of service (DoS) condition. This could disrupt phone communications and availability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, ensure that Web Access is disabled on affected Cisco Desk Phone 9800 Series, Cisco IP Phone 7800 and 8800 Series, and Cisco Video Phone 8875 devices, as Web Access is disabled by default. Additionally, ensure phones are not unnecessarily registered to Cisco Unified Communications Manager with Web Access enabled. Monitor for firmware updates or patches from Cisco to address this vulnerability and apply them promptly once available.