CVE-2020-3161 CRITICAL

CVE-2020-3161: Cisco IP Phones Web Server Remote Code Execution and Denial of Service Vulnerability

Vendor Cisco

Product Cisco IP phone

Weakness CWE-20 · Input validation

KEV Status Known Exploited

Published April 15, 2020

Last update October 21, 2025

View on NVD All CVEs

CVSS base score

9.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

A vulnerability in the web server for Cisco IP Phones could allow an unauthenticated, remote attacker to execute code with root privileges or cause a reload of an affected IP phone, resulting in a denial of service (DoS) condition. The vulnerability is due to a lack of proper input validation of HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web server of a targeted device. A successful exploit could allow the attacker to remotely execute code with root privileges or cause a reload of an affected IP phone, resulting in a DoS condition.

CISA mandated remediation

02CISA Required Action

Apply updates per vendor instructions.

Key dates

03Disclosure timeline

April 15, 2020 CVE published

October 21, 2025 Record updated

External resources

04References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2020-3161 CISA KEV Reference https://nvd.nist.gov/vuln/detail/CVE-2020-3161

Related vulnerabilities

CVE-2020-3161: Cisco IP Phones Web Server Remote Code Execution and Denial of Service Vulnerability

01Description

02CISA Required Action

03Disclosure timeline

04References

05Related CVE