5 Critical Vulnerabilities Found In Cisco Devices

Posting ID 122764
Date Added: 02/6/2020 7:00 AM EST
Date Modified: 02/6/2020 7:24 AM EST
E-ISAC Staff


On August 29th, 2019, a cybersecurity firm, Armis Security, discovered five zero-day vulnerabilities in Cisco Devices collectively referred to as “CDPwn”, which could potentially impact tens of millions of devices. CDPwn consists of five Remote Code Execution vulnerabilities, as well as one Denial of Service vulnerability. CDPwn utilizes the Cisco Discovery Protocol (CDP), which is a layer-2 networking protocol that Cisco devices use to gather information about devices connected to the same network. The CDPwn vulnerabilities could potentially be utilized for the purposes of breaking network segmentation, data exfiltration of corporate network traffic traversing through an organization’s switches and routers, gaining access to additional devices by leveraging man-in-the-middle attacks by intercepting and altering traffic on the corporate switch, and data exfiltration of sensitive information such as phone calls from devices like IP phones and video feeds from IP cameras. Armis Security relayed information about CDPwn to Cisco soon after discovery.

On February, 5th, 2020, Cisco released patches for devices vulnerable to CDPwn exploitation. Cisco said that they are not aware of any malicious use of the CDPwn as of yet. In order to exploit the vulnerabilities, attackers would first need to establish a foothold inside a target’s network, and then hop from device to device (via CDPwn exploitation) to gain significant access and/or control over a network and potentially execute code or cause denial of service.

Many of the vulnerable Cisco products—such as desk phones, web cameras, and network switches—do not auto-update, and need manual patching to receive protection. Enterprise switches and routers are often behind on patches and updates due to avoidance of network downtime. CDP is implemented in virtually all Cisco products, including switches, routers, IP phones and cameras. All those devices ship from the factory with CDP enabled by default. According to Cisco, over 95 percent of Fortune 500 companies use Cisco Collaboration solutions.

Cisco device owners should look up whether or not their devices are listed by Cisco as being susceptible to CDPwn exploitation by going to Cisco’s website. If they are listed as containing CDPwn vulnerabilities, device owners should immediately download and manually install patches from Cisco’s website. Routine updates are recommended for all Cisco devices in order to avoid possible exploitation by malicious actors relying on utilizing unpatched devices as attack vectors for infiltrating enterprise systems.

The following fix action is recommended for Cisco device owners: please refer to the “Affected Products” section of the attached “CISCO CDP vulnerability for DoS.pdf” to determine whether or not your device(s) are listed as having CDPwn vulnerabilities and, if so, refer to the “Fixed Releases” section, and download and install the patch for the device.  A table containing both the affected devices series and links to their respective vulnerability patch instructions has been included below.

Recommendation: Partners and Client organizations should have cyber security teams determine which affected devices they have and patch accordingly.

Recommendation: More frequent updating of Cisco devices.

Affected Cisco Device(s)

Vulnerability Patch Instructions Link

IP Conference Phone 7832


IP Conference Phone 7832 with Multiplatform Firmware


IP Conference Phone 8832


IP Conference Phone 8832 with Multiplatform Firmware


IP Phone 6821, 6841, 6851, 6861, 6871 with Multiplatform Firmware



IP Phone 7811, 7821, 7841, 7861 Desktop Phones


IP Phone 7811, 7821, 7841, 7861 Desktop Phones with Multiplatform



IP Phone 8811, 8841, 8851, 8861, 8845, 8865 Desktop Phones



IP Phone 8811, 8841, 8851, 8861, 8845, 8865 Desktop Phones with Multiplatform Firmware



Unified IP Conference Phone 8831


Unified IP Conference Phone 8831 for Third-Party Call Control


Wireless IP Phone 8821 and 8821-EX


Firepower 4100 series and Firepower 9300 security appliances


IOS XR software


MDS 9000 Series Multilayer Switches


Nexus 1000 Virtual edge for VMware vSphere


Nexus 1000V Switch for Microsoft Hyper-V


Nexus 3000 Series Switches and Nexus 9000 Series Switches in Standalone NX-OS Mode


Nexus 5500 and 5600 Platform Switches and Nexus 6000 Series Switches


Nexus 7000 Series Switches


Nexus 9000 Series Fabric Switches in ACI Mode


UCS 6200, 6300, and 6400 Series Fabric Interconnects



Category Type:
Cyber Security
TLP - White
Shared Count (21)
  • Advanced Portal Users Group
  • Canadian CERTs
  • CRISP - Cyber Risk Info Sharing Program
  • DNG-ISAC Portal
  • DOE Complex
  • E-ISAC Administrators
  • E-ISAC AOO Members
  • E-ISAC Staff
  • FBI, LE Fusion
  • FERC - OEIS, etc
  • International (other ISACs, CERTs)
  • Malware Submissions
  • Other (inc. local/state commissions)
  • Portal Feedback
  • ThreatConnect Pilot Program
  • Trade Organizations
  • Watch Floor
Change History
  • Admin, 03/06/2020
  • E-ISAC Staff, 02/06/2020
  • E-ISAC Staff, 02/06/2020
  • E-ISAC Staff, 02/06/2020
  • E-ISAC Staff, 02/06/2020
  • E-ISAC Staff, 02/06/2020
  • E-ISAC Staff, 02/06/2020