Cisco has released security updates to address a critical remote code execution vulnerability affecting several Unified Communications and Contact Center Solutions products. The flaw tracked as CVE-2024-20253 has a CVSS score of 9.9 out of 10 and could allow an unauthenticated, remote attacker to execute arbitrary code on the affected devices.

Julien Egloff, a security researcher from Synacktiv, discovered and reported the vulnerability to Cisco through the Zero Day Initiative program. According to Cisco, the vulnerability is due to insufficient validation of user-supplied input by the affected software. An attacker could exploit this vulnerability by sending a crafted request to the affected device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system or cause a denial of service (DoS) condition on the device.

The following products are affected by this vulnerability in the default configuration:

• Unified Communications Manager (Unified CM) (CSCwd64245)
• Unified Communications Manager IM & Presence Service (Unified CM IM&P) (CSCwd64276)
• Unified Communications Manager Session Management Edition (Unified CM SME) (CSCwd64245)
• Unified Contact Center Express (UCCX) (CSCwe18773)
• Unity Connection (CSCwd64292)
• Virtualized Voice Browser (VVB) (CSCwe18840)

Cisco has provided patches for the affected products and advised customers to apply them immediately. There are no workarounds that address this vulnerability. However, Cisco has suggested some mitigation techniques that could reduce the risk of exploitation. These include using access control lists (ACLs) to restrict access to the affected devices and allowing only the necessary TCP and UDP ports for the Cisco Unified Communications or Cisco Contact Center Solutions cluster.

Cisco has also warned that the mitigation techniques have only been tested in a lab environment and may only be suitable for some customers. Therefore, customers should ensure appropriate backup and recovery procedures before deploying the mitigation to their production environment.

Cisco said it is unaware of any public exploits or malicious use of this vulnerability. The company thanked Julien Egloff and the Zero Day Initiative team for reporting and working with them to resolve the issue.

Customers can refer to the Cisco Security Advisory page or contact the Cisco Technical Assistance Center (TAC) for more information.