Systems Engineering is aware of the Cisco Unified Communications Products Remote Code Execution Vulnerability, CVE: CVE-2024-20253.
Cisco rates this vulnerability as CRITICAL.
Cisco announced that a vulnerability in multiple Cisco Unified Communications and Contact Center Solutions products could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to the improper processing of user-provided data that is being read into memory. A successful attack would allow a malicious attacker to have complete control over the system by obtaining root access. Once they have root access, they can execute malicious commands or attack other aspects of a network. The attacker does not need to compromise credentials to exploit this vulnerability.
This vulnerability is specific to Cisco Unified Communication Phone System servers. Per Cisco's Security Advisory notice, the specific versions that are affected are as follows:
Unified CM and Unified CM SME: CSCwd64245
Cisco Unified CM and Unified CM SME Release |
First Fixed Release |
11.5(1) |
Migrate to a fixed release. |
12.5(1) |
12.5(1)SU8 or |
14 |
14SU3 or |
Unified CM IM&P: CSCwd64276
Cisco Unified CM IM&P Release |
First Fixed Release |
11.5(1) |
Migrate to a fixed release. |
12.5(1) |
12.5(1)SU8 or |
14 |
14SU3 or |
Unity Connection: CSCwd64292
Cisco Unity Connection Release |
First Fixed Release |
11.5(1) |
Migrate to a fixed release. |
12.5(1) |
12.5(1)SU8 or |
14 |
14SU3 or |
UCCX: CSCwe18773
Cisco UCCX Release |
First Fixed Release |
12.0 and earlier |
Migrate to a fixed release. |
12.5(1) |
ucos.v1_java_deserial-CSCwd64245.cop.sgn |
Cisco has released a patch to remediate affected systems.
For clients who have Systems Engineering manage their Cisco Unified Communication servers, we will proactively patch your systems and will be in touch about remediating this vulnerability.
For clients responsible for managing your own Cisco Unified Communication servers, we strongly recommend you patch your affected systems to address this vulnerability. Should you need assistance with the patching process, please contact Systems Engineering Customer Service at 207.772.4199. Our team will open a service ticket to ensure your system is updated against any potential threats.
If you are a Systems Engineering client and have questions about this Security Alert, please contact your Account Manager.