Cyber Resilience

CVE-2024-20378

High

Published: 01 May 2024

Published
01 May 2024
Modified
05 January 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0080 74.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-20378 is a high-severity Authentication Bypass by Primary Weakness (CWE-305) vulnerability in Cisco Ip Phone 6821 With Multiplatform Firmware. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 25.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

A vulnerability in the web-based management interface of Cisco IP Phone firmware could allow an unauthenticated, remote attacker to retrieve sensitive information from an affected device. This vulnerability is due to a lack of authentication for specific endpoints of the…

more

web-based management interface on an affected device. An attacker could exploit this vulnerability by connecting to the affected device. A successful exploit could allow the attacker to gain unauthorized access to the device, enabling the recording of user credentials and traffic to and from the affected device, including VoIP calls that could be replayed.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

cisco
ip phone 6821 with multiplatform firmware
12.0.4 · ≤ 12.0.4
cisco
ip phone 6841 with multiplatform firmware
12.0.4 · ≤ 12.0.4
cisco
ip phone 6851 with multiplatform firmware
12.0.4 · ≤ 12.0.4
cisco
ip phone 6861 with multiplatform firmware
12.0.4 · ≤ 12.0.4
cisco
ip phone 6871 with multiplatform firmware
12.0.4 · ≤ 12.0.4
cisco
ip phone 7811 with multiplatform firmware
12.0.4 · ≤ 12.0.4
cisco
ip phone 7821 with multiplatform firmware
12.0.4 · ≤ 12.0.4
cisco
ip phone 7841 with multiplatform firmware
12.0.4 · ≤ 12.0.4
cisco
ip phone 7861 with multiplatform firmware
12.0.4 · ≤ 12.0.4
cisco
ip phone 8811 with multiplatform firmware
12.0.4 · ≤ 12.0.4
+5 more product configuration(s) — see NVD for full list

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References