Vulnerability Description
A Java deserialization vulnerability in Cisco Unity Express (CUE) could allow an unauthenticated, remote attacker to execute arbitrary shell commands with the privileges of the root user. The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit this vulnerability by sending a malicious serialized Java object to the listening Java Remote Method Invocation (RMI) service. A successful exploit could allow the attacker to execute arbitrary commands on the device with root privileges.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Cisco | Unity Express | < 9.0.6 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/105876Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1042130Third Party AdvisoryVDB Entry
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-2Vendor Advisory
- http://www.securityfocus.com/bid/105876Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1042130Third Party AdvisoryVDB Entry
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-2Vendor Advisory
FAQ
What is CVE-2018-15381?
CVE-2018-15381 is a vulnerability with a CVSS score of 9.8 (CRITICAL). A Java deserialization vulnerability in Cisco Unity Express (CUE) could allow an unauthenticated, remote attacker to execute arbitrary shell commands with the privileges of the root user. The vulnerab...
How severe is CVE-2018-15381?
CVE-2018-15381 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2018-15381?
Check the references section above for vendor advisories and patch information. Affected products include: Cisco Unity Express.