What is CVE-2024-20454?

CVE-2024-20454 is a critical-severity vulnerability in Cisco Small Business Ip Phones, classified under Buffer Copy without Checking Size of Input (Classic Buffer Overflow). CVSS score: 9.8/10. Published 2024-08-07.

How severe is CVE-2024-20454?

Critical severity. CVSS v3 base score is 9.8 out of 10.

Is CVE-2024-20454 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Buffer overflow in Cisco Small Business Ip Phones

CVE-2024-20454

Multiple vulnerabilities in the web-based management interface of Cisco Small Business SPA300 Series IP Phones and Cisco Small Business SPA500 Series IP Phones could allow an unauthenticated, remote attacker to execute arbitrary commands o…

Vulnerability class: Buffer Overflow

EPSS: 0.117 (93.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Cisco Small Business Ip Phones — versions 7.6.0, 7.6.2, 7.6.2SR3

Weakness classification (CWE)

CWE-120 — Buffer Copy without Checking Size of Input (Classic Buffer Overflow)

Public proof-of-concept exploits

ARPSyndicate/cve-scores

References

cisco-sa-spa-http-vulns-RJZmX2Xz

Frequently asked questions

What is CVE-2024-20454?: CVE-2024-20454 is a critical-severity vulnerability in Cisco Small Business Ip Phones, classified under Buffer Copy without Checking Size of Input (Classic Buffer Overflow). CVSS score: 9.8/10. Published 2024-08-07.
How severe is CVE-2024-20454?: Critical severity. CVSS v3 base score is 9.8 out of 10.
Is CVE-2024-20454 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.