Executive Summary
Cisco has recently released critical security patches to address a significant vulnerability, known as CVE-2024-20253, impacting various Unified Communications and Contact Center Solutions products.
This vulnerability, with a CVSS score of 9.9, allows unauthenticated remote attackers to execute arbitrary code on vulnerable devices.
Organisations should promptly apply the provided patch to the affected products.
About CVE-2024-20253
CVE-2024-20253 is a critical vulnerability that results from insecure input validation during the deserialisation of untrusted data. This flaw potentially enables attackers to execute arbitrary code on the affected device. As a result, they could even gain root access to the compromised device.
On the other hand, attackers must possess the privileges of the web services user to exploit this vulnerability fully.
The vulnerability affects several Cisco products, including:
- Packaged Contact Center Enterprise,
- Unified Communications Manager,
- Unified Communications Manager IM & Presence Service,
- Unified Communications Manager Session Management Edition,
- Unified Contact Center Enterprise,
- Unified Contact Center Express, Unity Connection,
- Virtualized Voice Browser.
Cisco’s Response
Cisco has promptly released a fix for the critical vulnerability.
While there are no direct workarounds for this vulnerability, Cisco recommends implementing access control lists (ACLs) on intermediary devices. These ACLs should separate the Cisco Unified Communications or Cisco Contact Center Solutions cluster from users and the rest of the network. Additionally, they should allow access only to the ports of deployed services.
Cisco also stated that they have not yet detected any active exploitation of the vulnerability or any public proof-of-concept exploits.
For detailed information about the vulnerability and Cisco’s recommendations, please refer to the official Cisco advisory.
Recent Cisco Vulnerabilities
Please be aware that this disclosure comes right after a high-severity security issue that Cisco fixed earlier in January.
The previous vulnerability, identified as CVE-2024-20272, had a CVSS score of 7.3 and affected Unity Connection. This vulnerability permits adversaries to execute arbitrary commands on the underlying system.
Obviously, staying informed about Cisco security advisories and promptly applying patches is crucial to maintaining network infrastructure security.
- Germany Seizes Major Underground Marketplace
- Digital Skimming Operation in Europe: 443 compromised online shops identified
- Nissan Oceania Under Cyberattack
- Japan Attributes PyPI Supply Chain Cyberattack to North Korea
- Microsoft Adopts Passkeys in Windows 11
- GenAI Contributes to a Spike in BEC Attacks