CVE-2020-3161 — Cisco IP Phones Web Server Remote Code Execution and Denial-of-Service Vulnerability

CVE-2020-3161

Cisco IP Phones — Unauthenticated RCE or DoS via HTTP Request Handling Flaw

What are Cisco IP Phones?

Cisco IP Phones are enterprise-grade VoIP handsets widely deployed in corporate offices, government agencies, hospitals, and large institutions. The 7800 Series and 8800 Series are among the most common models, with tens of millions of units deployed globally. Each phone runs an embedded web server for local administration — accessible over the corporate network to allow IT staff to configure settings, view logs, and update firmware. In many deployments, this web server is accessible from any internal network host without authentication, and in some environments it is inadvertently exposed externally.

Overview

CVE-2020-3161 is an improper input validation vulnerability (CWE-20) in the web server embedded in Cisco IP Phones. Unauthenticated attackers who can send HTTP requests to the phone's web interface can either execute arbitrary code with root privileges or cause the phone to crash (DoS). With millions of affected devices deployed across enterprise and government networks, successful exploitation could allow an attacker with internal network access to silently compromise phones and use them for eavesdropping, lateral movement, or as persistent network footholds.

Affected Versions

Product Vulnerable Firmware Fixed Firmware
Cisco IP Phone 7811, 7821, 7841, 7861 < 12.7(1) 12.7(1)+
Cisco IP Phone 8811, 8841, 8845, 8861, 8865 < 12.7(1) 12.7(1)+
Cisco Unified IP Phone 7900 Series Specific versions See Cisco advisory

Technical Details

The embedded web server on Cisco IP Phones processes HTTP requests from the local network for administration purposes. The vulnerability is an improper input validation flaw (CWE-20) in this HTTP request handling code. A specially crafted HTTP request — likely involving an oversized or malformed header, URI, or request body — causes the web server to process the input incorrectly.

The two outcomes:

  1. Remote code execution: The malformed input triggers a memory corruption condition (stack/heap overflow) that an attacker can leverage to redirect execution flow and run arbitrary code with root privileges on the phone's embedded Linux OS
  2. Denial of service: The malformed input causes the web server process to crash, rendering the phone's web management interface (and potentially the phone itself) unavailable until restarted

Because the web server is enabled by default and accessible without authentication on most deployments, the attack requires only network connectivity to the phone — a low bar for any attacker with internal network access.

Discovery

The vulnerability was discovered by Cisco's own security research team and patched in April 2020 as part of a broader Cisco security advisory release cycle. No external researcher is credited in the public advisory.

Exploitation Context

CISA added CVE-2020-3161 to the KEV catalog on November 3, 2021 as part of the initial KEV launch, indicating confirmed exploitation in the wild. Compromised IP phones represent a particularly sensitive threat because they have physical proximity to sensitive conversations, access to the internal voice VLAN, and are often managed separately from standard IT security processes — creating gaps in monitoring coverage.

Attackers who compromise IP phones can:

  • Activate microphones for eavesdropping on meeting room conversations
  • Use the phone as a pivot point into the voice VLAN and from there into broader network segments
  • Establish persistent network footholds that are difficult to detect through standard EDR tools

Remediation

  1. Apply firmware updates: Update to Cisco IP Phone firmware 12.7(1) or later via the Cisco Unified Communications Manager (CUCM) device firmware distribution.
  2. Disable the web server if not needed: The phone's built-in web server can be disabled from the CUCM administration console if it is not required for management — this eliminates the attack surface entirely.
  3. Network segmentation: Ensure IP phones are on a dedicated voice VLAN with ACLs preventing arbitrary access from user workstations and external networks to phone management ports.
  4. Enable authentication: If the phone web server must remain enabled, configure it to require authentication via CUCM phone security profiles.
  5. Inventory and patch: Audit all deployed IP phone models and firmware versions to identify unpatched devices — phone firmware is often neglected in standard patch management workflows.

Key Details

PropertyValue
CVE ID CVE-2020-3161
Vendor / Product Cisco — Cisco IP Phones
NVD Published2020-04-15
NVD Last Modified2025-10-28
CVSS 3.1 Score9.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SeverityCRITICAL
CWE CWE-20 find similar ↗
CISA KEV Added2021-11-03
CISA KEV Deadline2022-05-03
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2022-05-03. Apply updates per vendor instructions.

Timeline

DateEvent
2020-04-15Cisco patches CVE-2020-3161 and publishes advisory
2021-11-03Added to CISA Known Exploited Vulnerabilities catalog
2022-05-03CISA BOD 22-01 remediation deadline