Analysis Summary

Cisco has issued a security advisory, published on October 15, 2025, warning of multiple vulnerabilities affecting its Desk Phone 9800 Series, IP Phone 7800 and 8800 Series, and Video Phone 8875 models running Cisco Session Initiation Protocol (SIP) Software. These vulnerabilities pose a risk when Web Access is enabled on devices registered to Cisco Unified Communications Manager (CUCM) a feature disabled by default to reduce exposure. If exploited, attackers could trigger denial-of-service (DoS) conditions or launch cross-site scripting (XSS) attacks via the phone’s web User Interface, potentially impacting unified communication systems in enterprise environments.

The most severe flaw is CVE-2025-20350, a high-risk buffer overflow vulnerability with a CVSS score of high. It is triggered when affected systems process maliciously crafted HTTP packets via the network. Exploitation requires no authentication or elevated privileges, making it easier for remote attackers to force device reloads and disrupt voice communication services. Cisco associates this vulnerability with bug ID CSCwn51601, underscoring its threat to system stability and reliability within large-scale telephony infrastructures. A second vulnerability, CVE-2025-20351, is a medium-severity reflected XSS flaw caused by improper validation of user-supplied input in the web interface.

Through CVE-2025-20351, attackers could inject malicious scripts by luring users into clicking crafted links. A successful attack could compromise session data, alter the user interface, or execute actions within the system on behalf of the user. However, this vulnerability requires user interaction and is linked to bug ID CSCwn51683. The advisory clarifies that only devices using Cisco SIP Firmware are affected those operating on Multiplatform Firmware remain unaffected. There are currently no public exploits or evidence of active exploitation, but systems with Web Access enabled remain at heightened risk.

As for mitigation, Cisco has not provided alternative workarounds except recommending administrators disable Web Access in CUCM or via the Bulk Administration Tool. Security teams can confirm exposure by entering the phone’s IP address in a web browser. To fully remediate the flaws, Cisco has released patched software versions: SIP Software 3.3(1) for Desk Phone 9800 and Video Phone 8875, 14.3(1)SR2 for IP Phone 7800 and 8800 models, and 11.0(6)SR7 for the IP Phone 8821. Organizations are strongly advised to upgrade promptly to prevent service disruptions and ensure their communication infrastructure remains secure and operational.

Impact

• Cross-site Scripting
• Buffer Overflow
• Gain Access
• Denial of Service

Indicators of Compromise

CVE

• CVE-2025-20350
• CVE-2025-20351

Remediation

• Disable Web Access on affected Cisco phones via CUCM or the Bulk Administration Tool to eliminate the attack surface (since vulnerabilities are only exploitable when Web Access is enabled).
• Verify Web Access Status by entering the phone’s IP in a browser if the interface loads, Web Access is enabled and should be disabled immediately.
• Apply Cisco’s Fixed Software Updates.
• Upgrade devices promptly to the above versions to fully patch CVE-2025-20350 (DoS) and CVE-2025-20351 (XSS) vulnerabilities.
• Restrict network access to phone management interfaces by placing them on isolated VLANs or limiting access to trusted administrative IPs only.
• Monitor CUCM logs and device activity for unusual HTTP requests or unexpected phone reboots that might indicate exploitation attempts.
• Educate users and admins not to click unknown or suspicious links that could lead to XSS-based exploitation.
• Implement strong internal access control policies for Unified Communications systems to reduce unauthorized access risks.
• Regularly review Cisco advisories and apply future updates to maintain security over unified communication devices.