Cisco Desk Phone 9800 Series, IP Phone 7800 and 8800 Series, and Video Phone 8875 with SIP Software Vulnerabilities
TL;DR 📌
Cisco has identified multiple vulnerabilities in the Desk Phone 9800 Series, IP Phone 7800 and 8800 Series, and Video Phone 8875 that could allow unauthenticated remote attackers to cause denial of service (DoS) conditions or conduct cross-site scripting (XSS) attacks. The highest CVSS score is 7.5, indicating a high severity risk. Software updates are available to address these vulnerabilities, and there are no workarounds.
What happened 🕵️♂️
Cisco has reported vulnerabilities in its Desk Phone 9800 Series, IP Phone 7800 and 8800 Series, and Video Phone 8875, all running Cisco Session Initiation Protocol (SIP) Software. These vulnerabilities could allow an unauthenticated remote attacker to cause a denial of service (DoS) condition or perform cross-site scripting (XSS) attacks against users of the web UI. Exploitation requires that the phone is registered to Cisco Unified Communications Manager and has Web Access enabled, which is disabled by default.
Affected products 🖥️
The following products are affected if they are running a vulnerable release of Cisco SIP Software, registered to Cisco Unified Communications Manager, and have Web Access enabled:
- Desk Phone 9800 Series
- IP Phone 7800 Series
- IP Phone 8800 Series
- Video Phone 8875
Fixed software 🔧
Upgrade to the first fixed release in your train (or later):
| Release / Product | First Fixed Release | Notes |
|---|---|---|
| 3 | 3.3(1) | |
| 14.3 | 14.3(1)SR2 | |
| 14.4 | Not vulnerable. | |
| 11 | 11.0(6)SR7 | |
| 2.3(1)SR1 and earlier | Migrate to a fixed release. | |
| 1.0 | Initial public release. | |
| Desk Phone 9800 Series | 3.3(1) | |
| IP Phone 7800 and 8800 Series | 14.3(1)SR2 | Earlier than 14.3 |
| IP Phone 8821 | 11.0(6)SR7 | Earlier than 11 |
| Video Phone 8875 | 3.3(1) | 2.3(1)SR1 and earlier |
Workarounds 🧯
There are no workarounds that address these vulnerabilities. However, disabling Web Access can mitigate the risks. To disable Web Access, administrative privileges are required on the Communications Manager.
Risk in context 🎯
With a CVSS score of 7.5, this vulnerability is rated as High. The exposure is significant if devices are internet-facing and have Web Access enabled. The potential for denial of service could disrupt communication services, impacting business operations. Immediate action is recommended to apply the necessary software updates.
Fast facts ⚡
- Vulnerabilities: Denial of service (CVE-2025-20350) and cross-site scripting (CVE-2025-20351).
- CVSS Score: 7.5 (High).
- Exploitation: Requires Web Access to be enabled.
- No workarounds available.
- Fixed software: Updates available for affected products.
For leadership 🧭
Cisco has identified critical vulnerabilities in its desk and video phones with a risk rating of High (CVSS 7.5). These vulnerabilities could allow unauthenticated attackers to disrupt services or execute malicious scripts, particularly if Web Access is enabled. Immediate remediation is necessary: patch affected devices within 7 days. The operational impact involves a brief maintenance window with no expected configuration drift.
Now: Assess and disable Web Access if enabled.
Next: Apply the fixed software updates.
Later: Review security policies to ensure Web Access is disabled by default on all devices.