CVE-2024-20253

Vulnerability

A remote code execution vulnerability exists in multiple Cisco Unified Communications and Contact Center Solutions products. The flaw is due to improper processing of user-provided data being read into memory. An unauthenticated, remote attacker can exploit this by sending a crafted message to a listening port of an affected device. This affects versions of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, Cisco Unity Connection, Cisco Emergency Responder, and Cisco Prime Collaboration Deployment prior to the fixed releases [1].

Exploitation

The attacker does not require authentication or prior knowledge of the target. By sending a specially crafted message to a listening network port (e.g., TCP port 8443 or others used by these products), the attacker triggers the vulnerability. No user interaction is needed. The exploitation is performed over the network remotely [1].

Impact

Successful exploitation allows the attacker to execute arbitrary commands on the underlying operating system with the privileges of the web services user. With OS access, the attacker can escalate privileges to root, leading to full compromise of the affected device. This impacts confidentiality, integrity, and availability of the system [1].

Mitigation

Cisco has released free software updates to address this vulnerability. Customers with service contracts should obtain fixes through their usual update channels. The fixed versions are noted in the Cisco Security Advisory [1]. No workarounds are available; upgrading to the patched release is the only mitigation. The advisory also provides links to the software download page and licensing information.