Cisco Unified Communications Products Command Injection Vulnerability

Vulnerability

A command injection vulnerability exists in the CLI of multiple Cisco Unified Communications products, including Cisco Unified Communications Manager (Unified CM) and Unified CM SME, Unified CM IM&P, Unity Connection, Finesse, Unified Contact Center Express (CCX), Unified Intelligence Center, Virtualized Voice Browser, and Cisco Cloud Contact Platform (CCP). The vulnerability is due to improper validation of user-supplied command arguments. Affected versions include releases earlier than the fixed versions listed in the advisory [1]. An attacker must have valid administrative credentials to reach the vulnerable code path.

Exploitation

An attacker with valid administrative credentials and local CLI access can exploit this vulnerability by executing crafted commands on the CLI of an affected device. No additional user interaction is required. The attacker can inject arbitrary arguments that bypass input validation, leading to command execution.

Impact

Successful exploitation allows the attacker to execute arbitrary commands on the underlying operating system as the root user. This results in full compromise of the affected device, including complete control over system files, processes, and network services.

Mitigation

Cisco has released fixed software versions for each affected product. For example, Cisco CCP 15.0(1), Finesse 12.6(2)ES6 or 15.0(1), Unified CM and Unified CM SME 15SU2, Unified CM IM&P 15SU2, Unified CCX 15.0(1), Unified Intelligence Center 12.6(2)ES04 or 15.0(1), Unity Connection 15SU2, and Virtualized Voice Browser 12.6(2)ES04 or 15.0(1). Customers should upgrade to the appropriate fixed release. No workarounds are available. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of publication [1].