CVE-2022-20660 MEDIUM

CVE-2022-20660: Cisco IP Phones Information Disclosure Vulnerability

Vendor Cisco
Product Cisco Session Initiation Protocol (SIP) Software
Weakness CWE-312 · Cleartext storage
Published January 14, 2022
Last update November 6, 2024

CVSS base score

4.6/10
Attack vector Physical
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

A vulnerability in the information storage architecture of several Cisco IP Phone models could allow an unauthenticated, physical attacker to obtain confidential information from an affected device. This vulnerability is due to unencrypted storage of confidential information on an affected device. An attacker could exploit this vulnerability by physically extracting and accessing one of the flash memory chips. A successful exploit could allow the attacker to obtain confidential information from the device, which could be used for subsequent attacks.

Key dates

02Disclosure timeline

January 14, 2022 CVE published
November 6, 2024 Record updated