Cisco has raised an alert about a critical remote code execution vulnerability affecting its Unified Communications Manager (CM) and Contact Center Solutions products. Tracked as CVE-2024-20253, the flaw poses a severe risk, allowing an unauthenticated, remote attacker to execute arbitrary code on the affected devices. The impacted products include Unified Communications Manager, Contact Center Express, and others. Cisco recommends applying available security updates to address the vulnerability, and in cases where updates are not immediately possible, administrators are advised to implement access control lists (ACLs) as a mitigation strategy.
The vulnerability, discovered by Synacktiv researcher Julien Egloff, received a base score of 9.9 out of 10 for its severity. It arises from improper processing of user-provided data read into memory. Attackers can exploit the flaw by sending a specially crafted message to a listening port, potentially gaining the ability to execute arbitrary commands with the privileges of the web services user and establish root access. The affected products include Packaged Contact Center Enterprise (PCCE), Unified Communications Manager (Unified CM), Unified Contact Center Enterprise (UCCE), and others.
Cisco’s recommended action is to apply the available security updates, with specific releases addressing the critical remote code execution (RCE) flaw for various products. The company notes that there is no workaround for the vulnerability. Furthermore, administrators are urged to set up access control lists (ACLs) as an interim mitigation measure, allowing access only to the ports of deployed services to control traffic reaching the affected components. Cisco states that it is not aware of any public announcements or malicious use of the vulnerability at present.
