On January 24, 2024, Cisco issued an advisory concerning CVE-2024-20253 with a CVSS score of 9.9, impacting various Cisco Unified Communications and Contact Center Solutions products (listed in the table below).
The vulnerability is due to improper processing of user-input data and may result in a potential malicious attacker crafting messages to be directed towards a listening port on a vulnerable instances exposed to the internet and subsequently achieving remote code execution with access to the underlying operating system. The level of privilege will depend on the privileges assigned to the web services users and may be potentially at root level.
There are no workarounds. The recommendation is the patch vulnerable instances.
Release | First Fixed Release |
Unified Communications Manager Session Management Edition (Unified CM SME) | |
11.5(1) | Migrate to a fixed release |
12.5(1) | 12.5(1)SU8 or ciscocm.v1_java_deserial-CSCwd64245.cop.sha512 |
14 | 14SU3 or ciscocm.v1_java_deserial-CSCwd64245.cop.sha512 |
15 | Not vulnerable |
Unified Communications Manager IM & Presence Service (Unified CM IM&P) | |
11.5(1) | Migrate to a fixed release |
12.5(1) | 12.5(1)SU8 or ciscocm.cup-CSCwd64276_JavaDeserialization.cop.sha512 |
14 | 14SU3 or ciscocm.cup-CSCwd64276_JavaDeserialization.cop.sha512 |
15 | Not vulnerable |
Unity Connection | |
11.5(1) | Migrate to a fixed release |
12.5(1) | 12.5(1)SU8 or ciscocm.cuc.v1_java_deserial-CSCwd64292.k4.cop.sha512 |
14 | 14SU3 or ciscocm.cuc.v1_java_deserial-CSCwd64292.k4.cop.sha512 |
15 | Not vulnerable |
Unified Contact Center Express (UCCX) | |
12.0 and earlier | Migrate to a fixed release |
12.5(1) | ucos.v1_java_deserial-CSCwd64245.cop.sgn |
15 | Not vulnerable |
Virtualized Voice Browser (VVB) | |
12.0 and earlier. | Migrate to a fixed release |
12.5(1) and 12.5(2) | ucos.v1_java_deserial-CSCwd64245.cop.sgn |
15 | Not vulnerable |