Critical Cisco Unified Communications RCE Bug Allows Root Access

  /     /     /  
Publicated : 23/11/2024   Category : security


Critical Cisco Unified Communications RCE Bug Allows Root Access


The vulnerability, tracked as CVE-2024-20253, makes enterprise communications infrastructure and customer service call centers sitting ducks for unauthenticated cyberattackers.



A critical security vulnerability in Cisco Unified Communications and Contact Center Solutions (UC/CC) could allow unauthenticated remote code execution (RCE).
The bug (CVE-2024-20253, 9.9 CVSS) arises thanks to improper processing of user-provided data that is being read into memory, according to
Ciscos advisory
, issued yesterday.
Remote attackers who are not logged onto the system can simply send specially crafted messages to a vulnerable devices listening port in order to achieve RCE; from there, they can execute code on the underlying operating system with the privileges of the Web services user, and/or gain root access.
Ciscos UC/CC platforms
are used by small and midsized businesses (SMBs) and enterprises to provide communications over IP, including voice calling, video calls, mobile integration, chat and messaging, app integrations, and more. As such, device compromise could have a number of bad outcomes, including: locking up an
organizations communications infrastructure
with ransomware and disrupting customer service interactions; allowing cyberattackers to infiltrate IP phones and other endpoints hooked into the system; eavesdropping on communications; data exfiltration; recon for follow-on phishing attacks; and more.
Ciscos advisory offers a list of affected versions and corresponding patches. For those unable to immediately update, the networking giant also detailed a mitigation path. This involves establishing access control lists (ACLs) on intermediary devices that separate the UC/CC cluster from the rest of the network, to allow access only to the ports of deployed services.

Last News

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Critical Cisco Unified Communications RCE Bug Allows Root Access