Cisco has issued a security alert warning users of several of its voice over Internet Protocol (VoIP) phones that a flaw in the products could allow hackers to listen in on users’ conversations.
The company said the products at risk are the Cisco Small Business SPA series 300 and series 500 IP phones.
A vulnerability in the machines “could allow an unauthenticated remote attacker to listen to the audio stream” of the phones, according to Cisco. Software updates are not available at this time.
“The vulnerability is due to improper authentication settings in the default configuration,” a warning from the company said. “An attacker could exploit this vulnerability by sending a crafted XML request to the affected device. An exploit could allow the attacker to listen to a remote audio stream of make phone calls remotely.”
To exploit the vulnerability, an attacker may need to access trusted, internal networks behind a firewall to send crafted XML requests to the device. This access requirement may reduce the likelihood of a successful exploit.
Cisco advised It administrators to contact the vendor regarding updates and releases.
Administrators are also advised to enable XML execution authentication in the configuration setting of the phones.
Administrators can also use IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.