A critical flaw at Cisco allows hackers to take remote control of unified communications systems

January 26, 2024PressroomNetwork security/vulnerabilities

Cisco has released patches to address a serious security flaw affecting its Unified Communications and Contact Center Solutions products that could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.

Tracked as CVE-2024-20253 (CVSS score: 9.9), the issue results from improper processing of user-supplied data that a threat actor could abuse to send a specially crafted message to a listening port of a vulnerable appliance.

“A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with web services user privileges,” Cisco said in an advisory. “With access to the underlying operating system, the attacker could also establish root access on the affected device.”

Synacktiv security researcher Julien Egloff was credited with discovering and reporting CVE-2024-20253. The following products are affected by the defect:

• Unified Communications Manager (versions 11.5, 12.5(1), and 14)
• IM service and Unified Communications Manager presence (versions 11.5(1), 12.5(1), and 14)
• Unified Communications Manager Session Management Edition (versions 11.5, 12.5(1), and 14)
• Unified Contact Center Express (versions 12.0 and earlier and 12.5(1))
• Unity Connection (versions 11.5(1), 12.5(1), and 14) and
• Virtualized Voice Browser (versions 12.0 and earlier, 12.5(1) and 12.5(2))

While there are no workarounds to address this issue, the networking equipment manufacturer encourages users to create access control lists to limit access where applying updates is not immediately possible.

“Establish access control lists (ACLs) on intermediate devices that separate the Cisco Unified Communications or Cisco Contact Center Solutions cluster from users and the rest of the network to allow access only to distributed services ports,” the company said.

The disclosure comes weeks after Cisco released fixes for a critical security flaw impacting Unity Connection (CVE-2024-20272, CVSS Score: 7.3) that could allow an adversary to execute arbitrary commands on the underlying system.