Critical Cisco Flaw Lets Hackers Remotely Take Over Unified Comms Systems

Cisco has released patches to address a critical security flaw impacting Unified Communications and Contact Center Solutions products that could permit an unauthenticated, remote attacker to execute arbitrary code on an affected device.

Tracked as CVE-2024-20253 (CVSS score: 9.9), the issue stems from improper processing of user-provided data that a threat actor could abuse to send a specially crafted message to a listening port of a susceptible appliance.

“A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of the web services user,” Cisco said in an advisory. “With access to the underlying operating system, the attacker could also establish root access on the affected device.”

Synacktiv security researcher Julien Egloff has been credited with discovering and reporting CVE-2024-20253. The following products are impacted by the flaw –

• Unified Communications Manager (versions 11.5, 12.5(1), and 14)
• Unified Communications Manager IM & Presence Service (versions 11.5(1), 12.5(1), and 14)
• Unified Communications Manager Session Management Edition (versions 11.5, 12.5(1), and 14)
• Unified Contact Center Express (versions 12.0 and earlier and 12.5(1))
• Unity Connection (versions 11.5(1), 12.5(1), and 14), and
• Virtualized Voice Browser (versions 12.0 and earlier, 12.5(1), and 12.5(2))

The disclosure arrives weeks after Cisco shipped fixes for a critical security flaw impacting Unity Connection (CVE-2024-20272, CVSS score: 7.3) that could permit an adversary to execute arbitrary commands on the underlying system.

Source: https://thehackernews.com/