Cisco has reported a critical vulnerability in some of its widely-used software, urging users to patch their endpoints immediately. The flaw, tracked as CVE-2024-20253, carries a severity score of 9.9/10 and was first discovered by security researcher Julien Egloff of Synactktiv.
This major vulnerability allows threat actors to send a custom message to a listening port, granting them the ability to launch arbitrary commands and establish root access via malware. The affected software is used by enterprises for voice, video, messaging services, customer engagement, and customer management.
The list of vulnerable products and their versions includes Packaged Contact Center Enterprise (PCCE), Unified Communications Manager (Unified CM), Unified Communications Manager IM & Presence Service (Unified CM IM&P), Unified Contact Center Enterprise (UCCE), Unified Contact Center Express (UCCX), Unity Connection, and Virtualized Voice Browser (VVB).
Cisco warned that there is no workaround for the vulnerability and the only way to remain secure is to apply the patch. The software versions no longer vulnerable are also listed.
To address the vulnerability, users are advised to apply the specific patches for their software versions. For PCCE, Unified CM, Unified CME, Unified CM IM&P, UCCE, UCCX, and VVB, Cisco has provided the necessary patches to mitigate the risk.