Cisco Unified Communications Products Command Injection Vulnerability
TL;DR 📌
A command injection vulnerability has been identified in multiple Cisco Unified Communications products. This flaw allows an authenticated local attacker to execute arbitrary commands on the underlying operating system as the root user. Cisco has released software updates to address this issue, and there are no workarounds available.
What happened 🕵️♂️
A vulnerability in the Command Line Interface (CLI) of several Cisco Unified Communications products could allow an authenticated, local attacker to execute arbitrary commands on the affected device’s operating system as the root user. This vulnerability stems from improper validation of user-supplied command arguments. To exploit this vulnerability, the attacker must possess valid administrative credentials.
Affected products 🖥️
The following Cisco products are affected by this vulnerability if they are running a vulnerable software release:
- Customer Collaboration Platform (CCP)
- Finesse
- Unified Communications Manager (Unified CM)
- Unified Communications Manager IM & Presence Service (Unified CM IM&P)
- Unified Communications Manager Session Management Edition (Unified CM SME)
- Unified Contact Center Express (Unified CCX)
- Unified Intelligence Center
- Unity Connection
- Virtualized Voice Browser
Fixed software 🔧
Upgrade to at least the first fixed release in your train (or later):
| Product / Release Train | First Fixed Release | Notes |
|---|---|---|
| ISE / ISE-PIC 15.0 | 15.0(1) | |
| ISE / ISE-PIC 12.6 | 12.6(2)ES6 | |
| ISE / ISE-PIC 15.0 | 15SU2 | |
| ISE / ISE-PIC 12.6 | 12.6(2)ES04 | |
| ISE / ISE-PIC 12.6 | 12.6(2)ES06 | |
| ISE / ISE-PIC 1.0 | Initial public release. |
Workarounds 🧯
There are no workarounds available to mitigate this vulnerability.
Risk in context 🎯
The highest CVSS score for this vulnerability is 6.0, indicating a medium severity level. While the risk is notable, it requires authenticated access, which limits the potential for widespread exploitation. However, organizations using the affected products should prioritize applying the necessary updates to safeguard their systems.
Fast facts ⚡
- Vulnerability Type: Command Injection
- CVSS Score: 6.0 (Medium)
- Exploitation Requirements: Valid administrative credentials
- Affected Products: Multiple Cisco Unified Communications products
- Fixed Releases Available: Yes, for all affected products
For leadership 🧭
It is crucial for organizations utilizing Cisco Unified Communications products to take immediate action to address this vulnerability. Ensure that your IT teams are aware of the affected products and prioritize the deployment of the fixed software releases. Regularly consult Cisco’s security advisories to stay informed about vulnerabilities and necessary updates.