VDB
CVE-2022-20660
CVE-2022-20660
PUBLISHED
CVSS 4.599999904632568 MEDIUM
A vulnerability in the information storage architecture of several Cisco IP Phone models could allow an unauthenticated, physical attacker to obtain confidential information from an affected device. This vulnerability is due to unencrypted storage of confidential information on an affected device. An attacker could exploit this vulnerability by physically extracting and accessing one of the flash memory chips. A successful exploit could allow the attacker to obtain confidential information from the device, which could be used for subsequent attacks.
EPSS 0.09% · 24.9th percentile
Risk Scores
CVSS 3.1
4.599999904632568
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score
0.09%
24.9th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| cisco | ip_phone_8845_firmware | 0 |
| cisco | unified_ip_phone_7975g_firmware | |
| cisco | unified_ip_conference_phone_8831_for_third-party_call_control_firmware | |
| cisco | unified_ip_phone_7965g_firmware | |
| cisco | unified_ip_phone_7945g_firmware | |
| cisco | ip_phone_8861_firmware | 0 |
| cisco | wireless_ip_phone_8821_firmware | 0 |
| cisco | ip_phone_8841_firmware | 0 |
| cisco | ip_phone_7861_firmware | 0 |
| cisco | ip_conference_phone_7832_firmware | 0 |
| cisco | ip_phone_8865_firmware | 0 |
| cisco | unified_sip_phone_3905_firmware | 0 |
| cisco | ip_phone_7841_firmware | 0 |
| cisco | unified_ip_conference_phone_8831_firmware | |
| cisco | ip_phone_8811_firmware | 0 |
| cisco | ip_phone_8851_firmware | 0 |
| cisco | ip_phone_7811_firmware | 0 |
| cisco | wireless_ip_phone_8821-ex_firmware | 0 |
| Cisco | Cisco Session Initiation Protocol (SIP) Software | n/a |
| cisco | ip_conference_phone_8832_firmware | 0 |
…and 1 more
Exploit Intelligence
- http://packetstormsecurity.com/files/165567/Cisco-IP-Phone-Cleartext-Password-Storage.html (nist-nvd)
- 20220113 Cisco IP Phones Information Disclosure Vulnerability (circl)
- 20220114 SEC Consult SA-20220113-0 :: Cleartext Storage of Phone Password in Cisco IP Phones (circl)
- Cisco IP Phone Cleartext Password Storage Vulnerability (0day-today)
- Cisco IP Phone Cleartext Password Storage Vulnerability (0day-today)
Timeline
- Jan 12, 2022 CVE Published
- Jan 17, 2022 PoC Published
- Feb 8, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- May 24, 2022 EPSS Score
- Jul 16, 2022 EPSS Score
- Sep 7, 2022 EPSS Score
- Oct 29, 2022 EPSS Score
- Dec 21, 2022 EPSS Score
- Feb 11, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- Apr 5, 2023 EPSS Score
References
- 20220113 Cisco IP Phones Information Disclosure Vulnerability vendor-advisory
- 20220114 SEC Consult SA-20220113-0 :: Cleartext Storage of Phone Password in Cisco IP Phones mailing-list
- http://packetstormsecurity.com/files/165567/Cisco-IP-Phone-Cleartext-Password-Storage.html url
- https://nvd.nist.gov/vuln/detail/CVE-2022-20660 advisory