Cisco Unified IP Phone 9900 Series Data Disclosure Vulnerability

A vulnerability in the mobility extension feature of Cisco Unified IP Phone 9900 Series could allow an unauthenticated, remote attacker to obtain sensitive information.

The vulnerability is due to insufficient protections of information in transit. An attacker could exploit this vulnerability by monitoring network traffic.

Cisco has confirmed the vulnerability in a security notice; however, software updates are not available.

To exploit this vulnerability, an attacker may need access to trusted, internal networks behind a firewall to sniff network traffic in transit from a targeted device. This access requirement may reduce the likelihood of a successful exploit.

Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.