Cyber Resilience

CVE-2020-3161

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 15 April 2020

Published
15 April 2020
Modified
28 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8709 99.5th percentile
Risk Priority 92 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-3161 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Cisco Ip Phone 8865 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A vulnerability exists in the web server component of Cisco IP Phones due to improper input validation of HTTP requests, tracked as CWE-20. This flaw affects multiple models of Cisco IP Phones and carries a CVSS v3.1 score of 9.8, reflecting its critical severity and network-exploitable nature without authentication.

An unauthenticated remote attacker can exploit the issue by sending a specially crafted HTTP request to the device's web server. Successful exploitation grants the ability to execute arbitrary code with root privileges on the phone or trigger a reload that results in a denial-of-service condition.

The Cisco Security Advisory cisco-sa-voip-phones-rce-dos-rB6EeRXs and public proof-of-concept files on Packet Storm detail the remote code execution and denial-of-service vectors. CVE-2020-3161 is listed in CISA's Known Exploited Vulnerabilities Catalog, confirming observed in-the-wild exploitation.

EU & UK References

Vulnerability details

A vulnerability in the web server for Cisco IP Phones could allow an unauthenticated, remote attacker to execute code with root privileges or cause a reload of an affected IP phone, resulting in a denial of service (DoS) condition. The…

more

vulnerability is due to a lack of proper input validation of HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web server of a targeted device. A successful exploit could allow the attacker to remotely execute code with root privileges or cause a reload of an affected IP phone, resulting in a DoS condition.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

cisco
ip phone 8865 firmware
10.3\(1\)es14, 11.0\(1\), 11.0\(5\)sr1
cisco
ip phone 8851 firmware
10.3\(1\)es14, 11.0\(1\), 11.0\(5\)sr1
cisco
ip phone 7841 firmware
11.0\(1\)
cisco
ip phone 7821 firmware
11.0\(1\)
cisco
ip phone 8811 firmware
10.3\(1\)es14, 11.0\(1\), 11.0\(5\)sr1
cisco
ip phone 8861 firmware
10.3\(1\)es14, 11.0\(1\), 11.0\(5\)sr1
cisco
ip phone 8845 firmware
10.3\(1\)es14, 11.0\(1\), 11.0\(5\)sr1
cisco
ip phone 7861 firmware
11.0\(1\)
cisco
ip phone 8841 firmware
10.3\(1\)es14, 11.0\(1\), 11.0\(5\)sr1
cisco
ip phone 7811 firmware
11.0\(1\)
+3 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of HTTP inputs to the phone web server, blocking the crafted requests that exploit the CWE-20 flaw.

prevent

Boundary-protection mechanisms can restrict or filter traffic to the exposed web server, reducing the attack surface for unauthenticated remote exploitation.

prevent

Mandates timely remediation of the known vulnerable web-server code, eliminating the root cause before exploitation occurs.

References