CVE Alert: CVE-2025-20350 - Cisco - Cisco Session Initiation Protocol (SIP) Software

CVE-2025-20350

HIGHNo exploitation known

A vulnerability in the web UI of Cisco Desk Phone 9800 Series, Cisco IP Phone 7800 and 8800 Series, and Cisco Video Phone 8875 running Cisco SIP Software could allow an unauthenticated, remote attacker to cause a DoS condition on an affected device. This vulnerability is due to a buffer overflow when an affected device processes HTTP packets. An attacker could exploit this vulnerability by sending crafted HTTP input to the device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition. Note: To exploit this vulnerability, the phone must be registered to Cisco Unified Communications Manager and have Web Access enabled. Web Access is disabled by default.

CVSS v3.1 (7.5)

AV NETWORK · AC LOW · PR NONE · UI NONE · S UNCHANGED

Vendor

Cisco

Product

Cisco Session Initiation Protocol (SIP) Software

Versions

12.1(1)SR1 | 11.5(1) | 10.3(2) | 10.2(2) | 10.3(1) | 10.3(1)SR4 | 11.0(1) | 10.4(1)SR2 3rd Party | 11.7(1) | 12.1(1) | 11.0(0.7) MPP | 9.3(4) 3rd Party | 12.5(1)SR2 | 10.2(1)SR1 | 9.3(4)SR3 3rd Party | 10.2(1) | 12.5(1) | 10.3(1)SR2 | 11-0-1MSR1-1 | 10.4(1) 3rd Party | 12.5(1)SR1 | 11.5(1)SR1 | 10.1(1)SR2 | 12.0(1)SR2 | 12.6(1) | 10.3(1.11) 3rd Party | 12.0(1) | 12.0(1)SR1 | 9.3(3) | 12.5(1)SR3 | 10.3(1)SR4b | 9.3(4)SR1 3rd Party | 10.3(1)SR5 | 10.1(1.9) | 10.3(1.9) 3rd Party | 9.3(4)SR2 3rd Party | 10.3(1)SR1 | 10.3(1)SR3 | 10.1(1)SR1 | 12.0(1)SR3 | 12.6(1)SR1 | 12.7(1) | 10.3(1)SR6 | 12.8(1) | 12.7(1)SR1 | 11.0(2)SR1 | 11.0(4) | 11.0(2) | 11.0(4)SR3 | 11.0(5) | 11.0(3)SR2 | 11.0(3)SR4 | 11.0(3)SR3 | 11.0(2)SR2 | 11.0(4)SR1 | 11.0(5)SR3 | 11.0(3) | 11.0(5)SR2 | 11.0(3)SR6 | 11.0(5)SR1 | 11.0(4)SR2 | 11.0(3)SR1 | 11.0(3)SR5 | 11.0(6) | 12.8(1)SR1 | 12.8(1)SR2 | 14.0(1) | 14.0(1)SR1 | 11.0(6)SR1 | 10.3(1)SR7 | 14.0(1)SR2 | 14.1(1) | 14.0(1)SR3 | 11.0(6)SR2 | 14.1(1)SR1 | 14.1(1)SR2 | 11.0(6)SR4 | 14.2(1) | 14.2(1)SR1 | 11.0(6)SR5 | 14.1(1)SR3 | 14.2(1)SR2 | 3.1(1) | 3.0(1) | 2.3(1) | 2.3(1)SR1 | 2.2(1) | 2.1(1) | 2.0(1) | 14.2(1)SR3 | 3.1(1)SR1 | 14.3(1) | 3.2(1) | 14.3(1)SR1 | 14.2(1)SR4 | 11.0(6)SR6

CWE

CWE-121, Stack-based Buffer Overflow

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Published

2025-10-15T16:15:10.244Z

Updated

2025-10-15T17:42:59.642Z

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-phone-dos-FPyjLV7A

AI Summary Analysis

Risk verdict

High potential impact for affected Cisco SIP‑software deployments, but no public exploitation observed to date; treat as a priority if the devices are reachable and Web Access is enabled.

Why this matters

Unauthenticated remote access could cause a DoS by forcing phones to reload, disrupting UC services and call handling. In environments with centralised call control, even brief outages can cascade into missed calls, voicemail delays, and degraded collaboration across sites.

Most likely attack path

An attacker could send crafted HTTP input to the device’s web UI over the network. Preconditions: the phone must be registered to CUCM and Web Access enabled, otherwise exploitation is blocked. With network access and low attack complexity, an unauthenticated actor could trigger a DoS via the buffer overflow without user interaction. Lateral movement is unlikely; impact is primarily device availability.

Who is most exposed

Enterprise deployments of Cisco SIP devices (phones and video phones) with Web Access enabled and reachable management interfaces, especially at branch offices or sites with exposed internal networks or VPN-less access.

Detection ideas

Sudden, repeated device reloads or reboots logged on affected endpoints.
Anomalous HTTP traffic patterns to the phone web UI, including malformed or oversized requests.
Logs showing web UI abuse attempts or unexpected reload events in CUCM-integrated devices.
Syslog/SNMP traps indicating phone reboots or interface instability.
Unusual spikes in phone latency or service disruption across UC services.

Mitigation and prioritisation

Apply Cisco firmware updates that contain the fix; verify compatibility in a staging environment before broad rollout.
If patching is delayed, disable Web Access on affected devices or restrict management interfaces to trusted networks/VPN only.
Implement network access controls to limit HTTP/Web UI access to CM-managed subnets.
Enhance monitoring for phone reboots and web UI anomalous traffic; enable detailed logging on the web interface.
Plan and perform a controlled upgrade with a rollback path and test calls post‑patch.

Support Our Work

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.

AI APIs OSINT driven New features

Buy Me A Coffee Patreon

Tags: cisco, cisco-session-initiation-protocol-sip-software, CVE, cve-2025-20350, OSINT, threatintel