Cisco Unified Vulnerability - CVE-2024-20253

Cisco Unified Communications and Contact Center Solutions Vulnerability – CVE-2024-20253

A critical vulnerability, identified as CVE-2024-20253, has been discovered in multiple Cisco Unified Communications and Contact Center Solutions products. This flaw allows unauthenticated remote attackers to execute arbitrary code on affected devices, posing a high-risk threat to system integrity and security. 

Vulnerability Details 

• Risk: High 
• CVSS: 9.9  
• CVE-ID: CVE-2024-20253 
• CWE-ID: CWE-502 – Deserialization of Untrusted Data 

Description 

The vulnerability stems from insecure input validation during the deserialization of untrusted data. An attacker can exploit this flaw by sending a specially crafted message to a listening port on the affected device. Successful exploitation may lead to the execution of arbitrary code, resulting in a complete compromise of the vulnerable system. 

Affected Products 

This vulnerability affects several Cisco products in their default configuration, including but not limited to: 

• Packaged Contact Center Enterprise (PCCE) 
• Unified Communications Manager (Unified CM) 
• Unified Communications Manager IM & Presence Service (Unified CM IM&P) 
• Unified Communications Manager Session Management Edition (Unified CM SME) 
• Unified Contact Center Enterprise (UCCE) 
• Unified Contact Center Express (UCCX) 
• Unity Connection 
• Virtualized Voice Browser (VVB) 

Vulnerable software versions include Cisco Packaged Contact Center Enterprise 12.0.0 – 12.5.2, Cisco Unified Communications Manager 11.5(1) – 14SU4, and others. 

Exploitability 

• Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability. 

Mitigation 

To mitigate this vulnerability, it is recommended to install updates from the vendor’s website. Furthermore, Cisco advises implementing access control lists (ACLs) on intermediary devices to separate the Cisco Unified Communications or Cisco Contact Center Solutions cluster from users and the rest of the network, allowing access only to the ports of deployed services. 

References 

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-rce-bWNzQcUm 
• https://www.itnews.com.au/news/cisco-unified-comms-systems-patched-against-rce-604400 
• https://securityonline.info/cve-2024-20253-cvss-9-9-cisco-unified-communications-products-rce-vulnerability 
• https://www.cybersecurity-help.cz/vdb/SB2024012480 
• https://www.bleepingcomputer.com/news/security/cisco-warns-of-critical-rce-flaw-in-communications-software/