CVE-2024-20253 — CRITICAL (9.9)

Q: How severe is CVE-2024-20253?

CVE-2024-20253 has been rated CRITICAL with a CVSS base score of 9.9/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2024-20253?

Check the references section above for vendor advisories and patch information. Affected products include: Cisco Unified Communications Manager, Cisco Unified Communications Manager Im And Presence Service, Cisco Unity Connection, Cisco Unified Contact Center Express, Cisco Virtualized Voice Browser.

Vulnerability Description

A vulnerability in multiple Cisco Unified Communications and Contact Center Solutions products could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to the improper processing of user-provided data that is being read into memory. An attacker could exploit this vulnerability by sending a crafted message to a listening port of an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of the web services user. With access to the underlying operating system, the attacker could also establish root access on the affected device.

CVSS Score

9.9

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

HIGH

Affected Products

Vendor	Product	Versions
Cisco	Unified Communications Manager	< 12.5\(1\)su8
Cisco	Unified Communications Manager Im And Presence Service	< 12.5\(1\)su8
Cisco	Unity Connection	< 12.5\(1\)su8
Cisco	Unified Contact Center Express	12.5\(1\)
Cisco	Virtualized Voice Browser	12.5\(1\)

Related Weaknesses (CWE)

CWE-502

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/ciIssue TrackingVendor Advisory
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/ciIssue TrackingVendor Advisory

FAQ

What is CVE-2024-20253?

CVE-2024-20253 is a vulnerability with a CVSS score of 9.9 (CRITICAL). A vulnerability in multiple Cisco Unified Communications and Contact Center Solutions products could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. This vul...

How severe is CVE-2024-20253?

CVE-2024-20253 has been rated CRITICAL with a CVSS base score of 9.9/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2024-20253?

Check the references section above for vendor advisories and patch information. Affected products include: Cisco Unified Communications Manager, Cisco Unified Communications Manager Im And Presence Service, Cisco Unity Connection, Cisco Unified Contact Center Express, Cisco Virtualized Voice Browser.