Cisco Unified Communications Products Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in multiple Cisco Unified Communications products, including Unified Communications Manager (Unified CM), Unified Communications Manager Session Management Edition (Unified CM SME), Unified Communications Manager IM & Presence Service (Unified CM IM&P), Unity Connection, and Webex Calling Dedicated Instance. This vulnerability allows an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. The issue arises from improper validation of user-supplied input in HTTP requests, enabling attackers to send crafted HTTP requests to the web-based management interface of the device. Exploitation of this vulnerability could lead to gaining user-level access on the operating system and subsequently elevating privileges to root.

Impact

Exploitation of this vulnerability could result in an attacker executing arbitrary commands on the affected device's operating system, with the potential to escalate privileges to root.

Remediation

Cisco has released software updates to address this vulnerability. For Unified CM, Unified CM IM&P, Unified CM SME, and Webex Calling Dedicated Instance, users should upgrade to version 14SU5 or 15SU4, or apply a specific patch available through the Cisco Software Download site. For Unity Connection, the same upgrade recommendations apply.