Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Cisco Patches Critical Vulnerability in Enterprise Collaboration Products

A critical flaw in Cisco Unified Communications and Contact Center Solutions products could lead to remote code execution.

Cisco on Wednesday announced patches for a critical-severity vulnerability in multiple Unified Communications and Contact Center Solutions products.

The issue, tracked as CVE-2024-20253 (CVSS score of 9.9), exists because user-provided data is not properly processed when read into memory.

“An attacker could exploit this vulnerability by sending a crafted message to a listening port of an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of the web services user,” Cisco explains in its advisory.

An attacker able to exploit the security defect to access the OS could gain root access to a vulnerable device, the tech giant says.

The flaw impacts the default configuration of Packaged Contact Center Enterprise, Unified Communications Manager, Unified Communications Manager IM & Presence Service, Unified Communications Manager Session Management Edition, Unified Contact Center Enterprise, Unified Contact Center Express, Unity Connection, and Virtualized Voice Browser.

Cisco has released security updates to address the issue in all affected products and recommends that all customers update to a patched version as soon as possible, noting that no workarounds are available.

However, the company points out that customers can mitigate the bug by implementing access control lists (ACLs) on intermediary devices to separate the vulnerable products from the network.

On Wednesday, Cisco also announced patches for two medium-severity flaws in Business 250 and Business 350 series switches, and in Unity Connection.

Advertisement. Scroll to continue reading.

An access control list (ACL) management security defect in the switches could allow an unauthenticated, remote attacker to bypass protections and cause traffic to drop or be forwarded in an unexpected manner.

Unity Connection, Cisco says, is affected by a cross-site scripting (XSS) bug in the web-based management interface that could lead to the execution of arbitrary script code. An attacker would have to convince a user to click on a malicious link to successfully exploit the flaw.

Cisco says it is not aware of any of these vulnerabilities being exploited in malicious attacks. Additional information on the bugs can be found on Cisco’s security advisories page.

Related: Cisco Patches Critical Vulnerability in Unity Connection Product

Related: Exploitation of Recent Cisco IOS XE Vulnerabilities Spikes

Related: Cisco Patches 27 Vulnerabilities in Network Security Products

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.