Generic filters
Exact matches only
Search in title
Search in content
Filter by Custom Post Type
Posts
Filter by Categories







[CVSS 9+] Critical Cisco Vulnerability: Patch now!

Executive Summary

Cisco has recently released critical security patches to address a significant vulnerability, known as CVE-2024-20253, impacting various Unified Communications and Contact Center Solutions products.

This vulnerability, with a CVSS score of 9.9, allows unauthenticated remote attackers to execute arbitrary code on vulnerable devices.

Organisations should promptly apply the provided patch to the affected products.

About CVE-2024-20253

CVE-2024-20253 is a critical vulnerability that results from insecure input validation during the deserialisation of untrusted data. This flaw potentially enables attackers to execute arbitrary code on the affected device. As a result, they could even gain root access to the compromised device.

On the other hand, attackers must possess the privileges of the web services user to exploit this vulnerability fully.

The vulnerability affects several Cisco products, including:

  • Packaged Contact Center Enterprise,
  • Unified Communications Manager,
  • Unified Communications Manager IM & Presence Service,
  • Unified Communications Manager Session Management Edition,
  • Unified Contact Center Enterprise,
  • Unified Contact Center Express, Unity Connection,
  • Virtualized Voice Browser.
Cisco’s Response

Cisco has promptly released a fix for the critical vulnerability.

While there are no direct workarounds for this vulnerability, Cisco recommends implementing access control lists (ACLs) on intermediary devices. These ACLs should separate the Cisco Unified Communications or Cisco Contact Center Solutions cluster from users and the rest of the network. Additionally, they should allow access only to the ports of deployed services.

Cisco also stated that they have not yet detected any active exploitation of the vulnerability or any public proof-of-concept exploits.

For detailed information about the vulnerability and Cisco’s recommendations, please refer to the official Cisco advisory.

Recent Cisco Vulnerabilities

Please be aware that this disclosure comes right after a high-severity security issue that Cisco fixed earlier in January.

The previous vulnerability, identified as CVE-2024-20272, had a CVSS score of 7.3 and affected Unity Connection. This vulnerability permits adversaries to execute arbitrary commands on the underlying system.

Obviously, staying informed about Cisco security advisories and promptly applying patches is crucial to maintaining network infrastructure security.

RECENT BLOG POSTS

PODCASTS

Cubic Lighthouse is a cybersecurity publication dedicated to demystifying security, making news actionable, providing deeper thinking about the fundamentals of security, and providing decision-makers and the community at large with the right information to make the right decisions. We will also feature more technical articles and provide personal/family security advice.

©2024 Cubic Consulting, a Smart Security Company for your Business – All Rights Reserved.