CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2024-20253

CVSS 9.9v3.1pub. 2024-01-26upd. 2025-05-29

A vulnerability in multiple Cisco Unified Communications and Contact Center Solutions products could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to the improper processing of user-provided data that is being read into memory. An attacker could exploit this vulnerability by sending a crafted message to a listening port of an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of the web services user. With access to the underlying operating system, the attacker could also establish root access on the affected device.

🤖 AI Analysis
How it works

The vulnerability results from improper processing of user-supplied data during loading into memory (CWE-502 — deserialization of untrusted data). An attacker sends a specially crafted message to a listening port on the vulnerable device. Successful exploitation of the vulnerability allows execution of arbitrary commands in the context of the web service user, and subsequently gaining root access to the operating system.

Impact

An attacker can execute arbitrary commands on the device's operating system with web service user privileges, and subsequently gain full root access to the device. This exposes the system to loss of confidentiality, integrity, and availability of the entire system.

Mitigation & patch

Security patches available from the manufacturer should be applied in accordance with the references (https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-rce-bWNzQcUm). Additionally, it is recommended to restrict network access to listening ports on vulnerable devices exclusively to trusted hosts using firewall or ACL rules.

Who is affected

Cisco Unified Communications Manager, Cisco Unified Communications Manager IM and Presence Service, Cisco Unity Connection — versions indicated in the manufacturer's references

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H
  • Cisco Unified Communications Manager

    APP
    Cisco
    < 12.5\(1\)su814.0 – 14su3 (bez)
  • Cisco Unified Communications Manager Im And Presence Service

    APP
    Cisco
    < 12.5\(1\)su814.0 – 14.0su3 (bez)
  • Cisco Unified Contact Center Express

    APP
    Cisco
    12.5\(1\)
  • Cisco Unity Connection

    APP
    Cisco
    14.0 – 14su3 (bez)< 12.5\(1\)su8
  • Cisco Virtualized Voice Browser

    APP
    Cisco
    12.5\(1\)12.6\(1\)12.6\(2\)
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
RCEDeserialization
CWE
References

Related vulnerabilities

CVE-2025-20358CRITICAL9.4PL ✓ten sam produkt

Cisco Unified CCX: pominięcie uwierzytelnienia w CCX Editor (RCE)

CVE-2025-20354CRITICAL9.8PL ✓ten sam produkt

RCE z uprawnieniami root w Cisco Unified Contact Center Express (Java RMI)

CVE-2025-20309CRITICAL10.0PL ✓ten sam produkt

Cisco Unified CM — statyczne dane logowania root umożliwiają pełne przejęcie systemu

CVE-2022-20658CRITICAL9.6ten sam produkt

A vulnerability in the web-based management interface of Cisco Unified Contact Center Management Portal (Unifi...

CVE-2020-3280CRITICAL9.8ten sam produkt

A vulnerability in the Java Remote Management Interface of Cisco Unified Contact Center Express (Unified CCX) ...