Critical Cisco Unified Communications RCE Bug Allows Root Access

A critical security vulnerability in Cisco Unified Communications and Contact Center Solutions (UC/CC) could allow unauthenticated remote code execution (RCE).

The bug (CVE-2024-20253, 9.9 CVSS) arises thanks to "improper processing of user-provided data that is being read into memory," according to Cisco's advisory, issued yesterday.

Remote attackers who are not logged onto the system can simply send specially crafted messages to a vulnerable device's listening port in order to achieve RCE; from there, they can execute code on the underlying operating system with the privileges of the Web services user, and/or gain root access.

Cisco's UC/CC platforms are used by small and midsized businesses (SMBs) and enterprises to provide communications over IP, including voice calling, video calls, mobile integration, chat and messaging, app integrations, and more. As such, device compromise could have a number of bad outcomes, including: locking up an organization's communications infrastructure with ransomware and disrupting customer service interactions; allowing cyberattackers to infiltrate IP phones and other endpoints hooked into the system; eavesdropping on communications; data exfiltration; recon for follow-on phishing attacks; and more.

Cisco's advisory offers a list of affected versions and corresponding patches. For those unable to immediately update, the networking giant also detailed a mitigation path. This involves establishing access control lists (ACLs) on intermediary devices that separate the UC/CC cluster from the rest of the network, "to allow access only to the ports of deployed services."