Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Cisco Patches High-Severity Vulnerability Reported by NSA

A high-severity vulnerability in Cisco Unified CM and Unified CM SME could allow attackers to cause a denial-of-service (DoS) condition.

Cisco on Wednesday announced patches for multiple vulnerabilities across its products, including a high-severity bug in its enterprise collaboration solutions.

Tracked as CVE-2024-20375, the high-severity issue (CVSS score of 8.6) impacts the SIP call processing function of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) and can be exploited remotely, without authentication.

Improper parsing of SIP messages could allow an attacker to send crafted packets to the affected products and cause the device to reload, leading to a denial-of-service (DoS) condition.

According to Cisco, there are now workarounds for this bug, but Unified CM and Unified CM SME versions 12.5(1)SU9, 14SU4, and 15SU1 contain patches for it.

The tech giant has credited the US National Security Agency (NSA) for reporting CVE-2024-20375 and notes that it is not aware of the security defect being exploited in the wild.

On Wednesday, the company also updated its advisory on CVE-2024-6387, the OpenSSH vulnerability known as regreSSHion, with additional information on the released and planned fixes for Cisco products found to be vulnerable.

Additionally, Cisco published four advisories detailing medium-severity bugs in Identity Services Engine (ISE), Unified CM, and Unified CM SME.

Three of these security defects were found in Cisco ISE, including a blind SQL injection via REST API calls, an information disclosure, and a cross-site request forgery (CSRF).

Advertisement. Scroll to continue reading.

The fourth issue impacts the web-based management interface of Unified CM and Unified CM SME, and could allow remote, unauthenticated attackers to perform a cross-site scripting (XSS) attack and execute arbitrary script code in the context of the interface.

The company says it is not aware of any of these vulnerabilities being exploited in the wild. Additional information can be found on Cisco’s security advisories page.

Related: Warnings Issued Over Cisco Device Hacking, Unpatched Vulnerabilities

Related: Cisco Patches Critical Vulnerability in Enterprise Collaboration Products

Related: Cisco Finds 8 Vulnerabilities in OAS Industrial IoT Data Platform

Related: Critical Vulnerabilities Allow Hacking of Cisco Small Business Routers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Hear from experts as they explore the latest trends, challenges and innovations in Attack Surface Management.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Janet Rathod has been named VP and CISO at Johns Hopkins University.

Barbara Larson has joined SentinelOne as Chief Financial Officer.

Amy Howland has been named Partner and CISO at Guidehouse.

More People On The Move

Expert Insights