CVE-2019-15242

HIGH

Cisco SPA100 Series Firmware - Authenticated Remote Code Execution via Web Management Interface

Title source: llm

Description

Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default.

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory x_refsource_cisco

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-rce

Scores

CVSS v3 8.0

EPSS 0.0058

EPSS Percentile 43.3%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-119

Status published

Products (4)

cisco/spa112_firmware 1.4.1 (5 CPE variants)

cisco/spa112_firmware < 1.4.1

cisco/spa122_firmware 1.4.1 (5 CPE variants)

cisco/spa122_firmware < 1.4.1

Published Oct 16, 2019

Tracked Since Feb 18, 2026