Cisco patches critical flaw in Unified Communications Products
Take action: If you are using Unified Communications Products, it's time to check whether they are properly segregated. Then patch as soon as possible.
Learn More
Cisco has issued a critical warning regarding a remote code execution (RCE) vulnerability, tracked as CVE-2024-20253 (CVSS score 9.9 , affecting several of its unified communications products, including:
- Packaged Contact Center Enterprise (PCCE) (CSCwe18830)
- Unified Communications Manager (Unified CM) (CSCwd64245)
- Unified Communications Manager IM & Presence Service (Unified CM IM&P) (CSCwd64276)
- Unified Communications Manager Session Management Edition (Unified CM SME) (CSCwd64245)
- Unified Contact Center Enterprise (UCCE) (CSCwe18830)
- Unified Contact Center Express (UCCX) (CSCwe18773)
- Unity Connection (CSCwd64292)
- Virtualized Voice Browser (VVB) (CSCwe18840)
This vulnerability allows attackers to execute arbitrary commands on the underlying operating system of affected devices, potentially gaining root access. The vulnerability arises from improper processing of user-provided data in memory.
Cisco has released fixed versions and advises implementing of the patched versions
Unified CM and Unified CM SME: CSCwd64245
| Cisco Unified CM and Unified CM SME Release | First Fixed Release |
|---|---|
| 11.5(1) | Migrate to a fixed release. |
| 12.5(1) | 12.5(1)SU8 or ciscocm.v1_java_deserial-CSCwd64245.cop.sha512 |
| 14 | 14SU3 or ciscocm.v1_java_deserial-CSCwd64245.cop.sha512 |
| 15 | Not vulnerable. |
Unified CM IM&P: CSCwd64276
| Cisco Unified CM IM&P Release | First Fixed Release |
|---|---|
| 11.5(1) | Migrate to a fixed release. |
| 12.5(1) | 12.5(1)SU8 or ciscocm.cup-CSCwd64276_JavaDeserialization.cop.sha512 |
| 14 | 14SU3 or ciscocm.cup-CSCwd64276_JavaDeserialization.cop.sha512 |
| 15 | Not vulnerable. |
Unity Connection: CSCwd64292
| Cisco Unity Connection Release | First Fixed Release |
|---|---|
| 11.5(1) | Migrate to a fixed release. |
| 12.5(1) | 12.5(1)SU8 or ciscocm.cuc.v1_java_deserial-CSCwd64292.k4.cop.sha512 |
| 14 | 14SU3 or ciscocm.cuc.v1_java_deserial-CSCwd64292.k4.cop.sha512 |
| 15 | Not vulnerable. |
PCCE and UCCE: CSCwe18830
| Cisco PCCE and UCCE Release | First Fixed Release |
|---|---|
| 12.0 and earlier | Migrate to a fixed release. |
| 12.5(1) and 12.5(2) | ucos.v1_java_deserial-CSCwd64245.cop.sgn |
| 15 | Not vulnerable. |
UCCX: CSCwe18773
| Cisco UCCX Release | First Fixed Release |
|---|---|
| 12.0 and earlier | Migrate to a fixed release. |
| 12.5(1) | ucos.v1_java_deserial-CSCwd64245.cop.sgn |
| 15 | Not vulnerable. |
VVB: CSCwe18840
| Cisco VVB Release | First Fixed Release |
|---|---|
| 12.0 and earlier. | Migrate to a fixed release. |
| 12.5(1) and 12.5(2) | ucos.v1_java_deserial-CSCwd64245.cop.sgn |
| 15 | Not vulnerable. |
As a mitigation measure, Cisco suggests establish isolating the Ciscu Unified Comms products from the from users and the rest of the network with access control lists to allow access only to the ports of deployed services.
