A vulnerability in Cisco IP phones could allow unauthenticated attackers to remotely listen in on the phones’ audio streams.
According to an advisory Cisco published on its website, the vulnerability (CVE-2015-0670) results from improper authentication in the default configuration of certain Cisco IP phones.
“An attacker could exploit this vulnerability by sending a crafted XML request to the affected device,” the advisory explains. “An exploit could allow the attacker to listen to a remote audio stream or make phone calls remotely.”Cisco has revealed that version 7.5.5 of the software that powers its Small Business SPA 300 and 500 series IP phones is vulnerable, though other versions might also be affected.
Full Article