A boffin from British defense contractor BAE has found three critical flaws in Cisco's Small Business SPA300 and SPA500 IP phones — and a couple more nasty ones — none of which will be fixed or mitigated.

In an advisory published Wednesday, Cisco explained that the three most serious flaws — all with CVSS 9.8 out of 10 — affect the web-based interface of the devices and could allow an unauthenticated remote attacker to gain root privileges to hijack and interfere with the equipment.

The three worst vulnerabilities – CVE-2024-20450, CVE-2024-20452 and CVE-2024-20454 – stem from the fact that the software does not handle incoming HTTP requests securely enough. An attacker can therefore send a crafted HTTP request to one of the phones, causing a buffer overflow and allowing the execution of arbitrary commands – with the aforementioned root privileges.

The other two flaws – CVE-2024-20451 and CVE-2024-20453 – are less severe and only receive a CVSS score of 7.8 due to their limited scope. Cisco reports that these are also related to problems in HTTP control mechanisms, but do not allow code execution. However, they do offer a chance to take down the phones with an overload attack.