A vulnerability in Cisco Unified Communications Manager (CM) and Contact Center Solutions allows RCE. Patch now is the message.

Cisco has found a vulnerability in Unified Communications Manager (CM) and Contact Center Solutions. Both products are vulnerable to Remote Code Execution (RCE). A malicious hacker could exploit the vulnerability to execute arbitrary code on infected devices.

Cisco Unified Communications and Contact Center solutions provide enterprise-class voice, video and messaging services. It is also used for customer support and customer management.

The vulnerability has the code CVE-2024-20253 and receives a critical rating of 9.9 out of 10. Cisco explains in a detailed bulletin which systems are affected, which version numbers and how you can patch.

Specifically, these are these products in the standard configuration:

• Packaged Contact Center Enterprise (PCCE) versions 12.0 and earlier, 12.5(1) and 12.5(2)
• Unified Communications Manager (Unified CM) versions 11.5, 12.5(1) and 14.
• Unified Communications Manager IM & Presence Service (Unified CM IM&P), versions 11.5(1), 12.5(1) and 14.
• Unified Contact Center Enterprise (UCCE) versions 12.0 and earlier, 12.5(1) and 12.5(2).
• Unified Contact Center Express (UCCX) versions 12.0 and earlier and 12.5(1).
• Unity Connection versions 11.5(1), 12.5(1), and 14.
• Virtualized Voice Browser (VVB) versions 12.0 and earlier, 12.5(1) and 12.5(2).

Patch now is the message. There is no way to mitigate the vulnerability. Is patching a temporary problem after all? Cisco recommends setting up an Access Control List (ACL), but ultimately patching remains a requirement.