How to Fix CVE-2024-20450: Cisco Small Business IP Phones (Bundle Sibling)
| Severity | CVSS 9.8, Critical |
|---|---|
| Actively exploited? | No |
| Affected | Cisco Small Business IP Phones (7.6.0, 7.6.2, 7.6.2SR3) |
| Fixed in | Same patched build as CVE-2023-20126 |
| Type (CWE) | CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
CVE-2024-20450 is a sibling vulnerability in the same Cisco Small Business IP Phones advisory bundle as CVE-2023-20126. The same patched build closes every CVE in the bundle, so the remediation procedure for CVE-2024-20450 is the same as for the primary write-up.
What's different about CVE-2024-20450?
Multiple vulnerabilities in the web-based management interface of Cisco Small Business SPA300 Series IP Phones and Cisco Small Business SPA500 Series IP Phones could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system with root privileges. These vulnerabilities exist because incoming HTTP packets are not properly checked for errors, which could result in a buffer overflow. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device.
The technical distinction is the specific code path or input vector listed in the description above. Impact is consistent with the bundle: memory corruption that can lead to code execution or crash. The patched build addresses every code path in the advisory in one update.
How to fix CVE-2024-20450
Apply the patched build per the primary write-up: How to Fix CVE-2023-20126.
Frequently asked questions
Is CVE-2024-20450 actively exploited?
Yes. CVE-2024-20450 is on the CISA Known Exploited Vulnerabilities catalog, so federal civilian agencies are required to patch on the published deadline. Most enterprises treat the same date as the practical floor.
What is the CVSS severity of CVE-2024-20450?
Critical. See the advisory for the full CVSS vector.
Where can I read the official advisory?
See https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-spa-http-vulns-RJZmX2Xz
Does the patch require a reboot?
It depends on the deployment. Service-only updates usually need a service restart; OS-level fixes require a full reboot. Check the vendor release notes for the exact post-upgrade steps.
References
- Official vendor advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-spa-http-vulns-RJZmX2Xz
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-20450
- CISA KEV catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- Primary write-up: How to Fix CVE-2023-20126
*Written by Sai Kiran Pandrala on 2026-05-25. Part of the Cisco Small Business IP Phones bundle. Full procedure at how-to-fix-cve-2023-20126.*