Critical Vulnerability in Cisco's Unified Communications Manager and Contact Center Solutions Products

Published on 27 Jan 2024

Cisco has released security updates to address a critical vulnerability (CVE-2024-20253) in its Unified Communications Manager (CM) and Contact Center Solutions products. The vulnerability has a Common Vulnerability Scoring System (CVSSv3) score of 9.9 out of 10.

Successful exploitation of the vulnerability could allow an unauthenticated remote attacker to execute arbitrary commands on the underlying operating system with the privileges of the web services user. With access to the underlying operating system, the attacker could also establish root access on the affected device.

The vulnerability affects the following product versions:

Packaged Contact Center Enterprise (PCCE) versions 12.0 and earlier, 12.5(1) and 12.5(2)
Unified Communications Manager (Unified CM) and Unified CM SME versions 11.5, 12.5(1), and 14
Unified Communications Manager IM & Presence Service (Unified CM IM&P) versions 11.5(1), 12.5(1), and 14
Unified Contact Center Enterprise (UCCE) versions 12.0 and earlier, 12.5(1), and 12.5(2)
Unified Contact Center Express (UCCX) versions 12.0 and earlier and 12.5(1)
Unity Connection versions 11.5(1), 12.5(1), and 14
Virtualized Voice Browser (VVB) versions 12.0 and earlier, 12.5(1), and 12.5(2)

Users and administrators of affected product versions are advised to update to the latest versions immediately.

More information is available at:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-rce-bWNzQcUm

https://www.bleepingcomputer.com/news/security/cisco-warns-of-critical-rce-flaw-in-communications-software/