Affected module: VCS754a | Business Phone
CVE: CVE-2023-25437
VTech's VCS754a business phones have been found to have a vulnerability that exposes the credentials for the SIP system, allowing anyone with access to the web portal to reveal the password for the system.
During a security assessment, it was discovered that the SIP system credentials are stored in the producer's web portal and can be revealed by inspecting the page's source code. This means that anyone with access to the web portal can log in using VTech's default credentials and gain access to the password for the SIP system, enabling them to make calls on behalf of the victim.
<img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1682575572169/c0365386-6f4c-421b-badc-3282bb52e94d.png" alt class="image--center mx-auto" />
While this vulnerability posed a significant risk to businesses using older versions of the VTech VCS754a phone, it has been addressed in newer versions of the phone. Businesses that have upgraded their VCS754a phone to versions newer than 1.1.1.A are no longer affected by this vulnerability.
It is still essential for businesses to conduct regular security assessments to identify potential vulnerabilities and take proactive steps to protect their assets and information from unauthorized access. However, businesses that have upgraded their VCS754a phone to versions newer than 1.1.1.A can have peace of mind knowing that they are no longer affected by this particular vulnerability.

Affected module: VCS754a | Business Phone

CVE: CVE-2023-25437

VTech's VCS754a business phones have been found to have a vulnerability that exposes the credentials for the SIP system, allowing anyone with access to the web portal to reveal the password for the system.

During a security assessment, it was discovered that the SIP system credentials are stored in the producer's web portal and can be revealed by inspecting the page's source code. This means that anyone with access to the web portal can log in using VTech's default credentials and gain access to the password for the SIP system, enabling them to make calls on behalf of the victim.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1682575572169/c0365386-6f4c-421b-badc-3282bb52e94d.png align="center")

While this vulnerability posed a significant risk to businesses using older versions of the VTech VCS754a phone, it has been addressed in newer versions of the phone. Businesses that have upgraded their VCS754a phone to versions newer than 1.1.1.A are no longer affected by this vulnerability.

It is still essential for businesses to conduct regular security assessments to identify potential vulnerabilities and take proactive steps to protect their assets and information from unauthorized access. However, businesses that have upgraded their VCS754a phone to versions newer than 1.1.1.A can have peace of mind knowing that they are no longer affected by this particular vulnerability.

Out of scope

Out of scope

Vulnerability in VTech VCS754a Business Phones Exposes SIP Credentials