CVE-2025-20336 Overview
A vulnerability in the directory permissions of Cisco Desk Phone 9800 Series, Cisco IP Phone 7800 and 8800 Series, and Cisco Video Phone 8875 could allow an unauthenticated, remote attacker to access sensitive information on an affected device. This vulnerability exists because the product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
An attacker could exploit this vulnerability by sending a crafted packet to the IP address of a device that has Web Access enabled. A successful exploit could allow the attacker to access sensitive information from the device. Notably, Web Access must be enabled on the phone for exploitation to occur—Web Access is disabled by default.
Critical Impact
Unauthenticated remote attackers can access sensitive information from affected Cisco IP phones when Web Access is enabled, potentially exposing configuration data, credentials, or other confidential device information.
Affected Products
- Cisco Desk Phone 9800 Series (9841, 9851, 9861, 9871)
- Cisco IP Phone 7800 Series (7811, 7821, 7841, 7861)
- Cisco IP Phone 8800 Series (8811, 8821, 8841, 8845, 8851, 8851NR, 8861, 8865)
- Cisco Video Phone 8875
Discovery Timeline
- September 3, 2025 - CVE-2025-20336 published to NVD
- January 5, 2026 - Last updated in NVD database
Technical Details for CVE-2025-20336
Vulnerability Analysis
This vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The flaw exists in the directory permission configuration of the affected Cisco phone firmware, which fails to properly restrict access to sensitive information when the Web Access feature is enabled.
The attack can be executed remotely over the network without requiring authentication or user interaction. While the vulnerability allows high-impact confidentiality compromise, it does not affect the integrity or availability of the affected systems. This means attackers can read sensitive data but cannot modify it or disrupt device operation through this specific vulnerability.
The web interface of these IP phones, when enabled, serves device information and configuration data. Due to improper directory permissions, certain sensitive files or directories that should be protected become accessible to remote users who send appropriately crafted HTTP requests to the device's web server.
Root Cause
The root cause of CVE-2025-20336 is improper directory permission configuration in the firmware of affected Cisco phone devices. Specifically, the web server component does not adequately restrict access to directories containing sensitive information. When Web Access is enabled, the device exposes files or data that should only be accessible to authenticated administrators, allowing any network-reachable attacker to retrieve this information.
Attack Vector
The attack vector for this vulnerability is network-based and requires no privileges or user interaction. An attacker with network access to an affected device can exploit this vulnerability by:
- Identifying a target Cisco IP phone or video phone with Web Access enabled
- Sending crafted HTTP requests to the device's web interface
- Accessing sensitive information through improperly secured directory paths
The exploitation is straightforward due to the low attack complexity—the attacker simply needs to know the IP address of a vulnerable device with Web Access enabled and craft appropriate requests to retrieve sensitive data.
Detection Methods for CVE-2025-20336
Indicators of Compromise
- Unusual HTTP/HTTPS requests to Cisco IP phone web interfaces from unexpected sources
- Access log entries showing requests to sensitive directory paths or configuration endpoints
- Network traffic analysis revealing data exfiltration patterns from phone device IP addresses
- Unexpected external connections to internal IP phone management interfaces
Detection Strategies
- Monitor network traffic for HTTP requests directed at Cisco IP phone web interfaces, especially from external or unauthorized internal sources
- Implement network intrusion detection rules to identify access attempts to known sensitive directory paths on Cisco phone devices
- Review web access logs on affected devices (if available) for anomalous request patterns
- Deploy network segmentation monitoring to detect unauthorized access attempts to voice network segments
Monitoring Recommendations
- Enable logging on network firewalls and IDS/IPS systems for traffic directed at Cisco phone IP addresses on HTTP/HTTPS ports
- Implement SIEM correlation rules to alert on multiple information disclosure attempts across phone device fleet
- Conduct periodic network scans to identify devices with Web Access inadvertently enabled
- Monitor for reconnaissance activity that may precede exploitation attempts
How to Mitigate CVE-2025-20336
Immediate Actions Required
- Disable Web Access on all affected Cisco IP phones and video phones where this feature is not strictly required—Web Access is disabled by default
- Implement network segmentation to isolate voice devices from general network access
- Apply access control lists (ACLs) to restrict which IP addresses can reach phone web interfaces
- Inventory all affected Cisco phone devices and verify their firmware versions and Web Access status
Patch Information
Cisco has released a security advisory addressing this vulnerability. Administrators should consult the Cisco Security Advisory for specific firmware versions that contain the fix and upgrade paths for each affected device model.
Affected firmware versions include:
- IP Phone 7800/8800 Series: Firmware version 14.3(1) and related service releases
- IP Phone 8821: Firmware version 11.0(6) and related service releases
- Video Phone 8875: Firmware version 2.3(1) and related service releases
- Desk Phone 9800 Series: Check advisory for affected versions
Workarounds
- Disable Web Access on all affected devices: Navigate to device administration settings and ensure Web Access is set to Disabled
- Implement firewall rules to block HTTP/HTTPS traffic to phone device IP addresses from untrusted networks
- Use network segmentation to place IP phones on a dedicated VLAN with restricted access from other network segments
- If Web Access is required for administration, restrict access to specific management workstation IP addresses only
# Example network ACL to restrict phone web access (Cisco IOS syntax)
ip access-list extended PHONE-WEB-RESTRICT
permit tcp host 10.1.1.100 10.10.10.0 0.0.0.255 eq 443
permit tcp host 10.1.1.100 10.10.10.0 0.0.0.255 eq 80
deny tcp any 10.10.10.0 0.0.0.255 eq 443
deny tcp any 10.10.10.0 0.0.0.255 eq 80
permit ip any any
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
