Cisco Issues Warning on High Severity Vulnerabilities in Unified Communications and Contact CenterCVE-2024-20253 Vulnerability in Cisco Unified Communications and Contact Center Solutions - Critical Severity

A critical-level vulnerability, identified as CVE-2024-20253 with a CVSS score of 9.9/10, has been discovered in Cisco Unified Communications and Contact Center Solutions. This flaw allows attackers to execute remote commands without the need for authentication, providing unauthorized access at the root access level. The vulnerability occurs in the process of reading data into memory, where an attacker can exploit it by sending specially crafted data to a listening port.

The impacted products include:

  • Packaged Contact Center Enterprise (PCCE) versions 12.0 and earlier, 12.5(1), and 12.5(2)
  • Unified Communications Manager (Unified CM) versions 11.5, 12.5(1), and 14
  • Unified Communications Manager IM & Presence Service (Unified CM IM&P) versions 11.5(1), 12.5(1), and 14
  • Unified Contact Center Enterprise (UCCE) versions 12.0 and earlier, 12.5(1), and 12.5(2)
  • Unified Contact Center Express (UCCX) versions 12.0 and earlier, 12.5(1)
  • Unity Connection versions 11.5(1), 12.5(1), and 14
  • Virtualized Voice Browser (VVB) versions 12.0 and earlier, 12.5(1), and 12.5(2)

Cisco has released patches, and currently, there is no workaround available. System administrators are strongly advised to update immediately. In case immediate updating is not possible, administrators should configure Access Control Lists (ACL) temporarily to prevent unauthorized system access. However, there have been no reported attacks utilizing this vulnerability to date.

 

Ref : https://www.bleepingcomputer.com/news/security/cisco-warns-of-critical-rce-flaw-in-communications-software/

Translate »
This website uses cookies and asks your personal data to enhance your browsing experience.