Home / Threat Intelligence bulletins / Critical remote code execution vulnerability in Cisco Unified Communications products

Target Industry

Any industry deploying Cisco Unified Communications products, particularly retail and other customer service industries, given that some of the affected products are contact centre solutions products.

Overview

Cisco has released a report on a critical vulnerability affecting multiple Cisco Unified Communications and Contact Centrer Solutions products CVE-2024-20253 (CVSS 3.1 base score: 9.9).

This vulnerability allows an unauthenticated, remote attacker to execute arbitrary code by sending specific crafted messages to a listening port on an affected device. If successful, this exploit could allow the attacker to run malicious code sent within this message on the underlying operating system of the recipient device.

Although the executed arbitrary code is run with ‘web services user’ privileges, this vulnerability is caused by the improper handling of user-provided data. This could be used to gain root access of the affected device.

Impact

Successful exploitation of CVE-2024-20253 could lead to an attacker gaining root permissions on the recipient device. This could then potentially be used as an initial entry point for lateral movement around the network which contains the compromised host.

Vulnerability Detection

Cisco has released updated versions of each affected product. Previous versions of these products remain vulnerable to CVE-2024-20253.

Affected Products

Note that these products are affected in their respective default configurations:

  • Unified Communications Manager (Unified CM) (CSCwd64245)
  • Unified Communications Manager IM & Presence Service (Unified CM IM&P) (CSCwd64276)
  • Unified Communications Manager Session Management Edition (Unified CM SME) (CSCwd64245)
  • Unified Contact Center Express (UCCX) (CSCwe18773)
  • Unity Connection (CSCwd64292)
  • Virtualized Voice Browser (VVB) (CSCwe18840)

Containment, Mitigations, and Remediations

If possible, the software updates from Cisco which upgrade these products to versions no longer affected by this vulnerability should be applied straight away.

For situations where updates cannot immediately be applied, Cisco states that there are no workarounds for this vulnerability, but that there is a mitigation strategy involving the use of access control lists (ACLs) on intermediary devices between these Cisco products and the rest of the network. ACLs on these intermediary devices should only allow access to the ports of deployed services, and these ACLs should be tested prior to deployment to assess their potential impact on business operations.

Indicators of Compromise

No known Indicators of Compromise (IoCs). In the report on CVE-2024-20253, Cisco’s Product Security Incident Response Team (PSIRT) notes that it is not aware of malicious use of this vulnerability.

Threat Landscape

Cisco occupies a significant portion of the enterprise network infrastructure market share. The related products are used extensively by organisations across the industry sector spectrum. Within this context, it has been assessed that cyber threat actors will almost certainly view organisations with operational protocols involving these products as prime targets as they seek to meet their pre-defined objectives. It is therefore of critical importance to follow the recommended remediation and mitigation strategies to reduce the risk of exploitation.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies

TA0004 – Privilege Escalation

Further Information

Cisco Advisory