CVE-2024-20253 Cisco Unified Communications Products RCE

CVE-2024-20253 is a critical vulnerability impacting various Cisco Unified Communications and Contact Center Solutions products. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary code on the affected devices, posing a high-risk threat to system integrity and security. The vulnerability arises from improper processing of user-supplied data that is read into memory. An attacker could exploit this vulnerability by sending a manipulated message to a listening port on an affected device. A successful exploit could enable the attacker to execute arbitrary commands on the underlying operating system with the user privileges of the web services. With access to the underlying operating system, the attacker could also establish root access on the affected device.

Cisco has released software updates addressing this vulnerability. There are no alternative solutions to resolve this vulnerability; however, a mitigation is available. Implementing Access Control Lists (ACLs) on intermediate devices that separate the Cisco Unified Communications or Cisco Contact Center Solutions cluster from users and the rest of the network allows access only to the ports of implemented services.

This vulnerability affects the following Cisco products in the default configuration:

Packaged Contact Center Enterprise (PCCE)
Unified Communications Manager (Unified CM)
Unified Communications Manager IM & Presence Service (Unified CM IM&P)
Unified Communications Manager Session Management Edition (Unified CM SME)
Unified Contact Center Enterprise (UCCE)
Unity Connection
Unified Contact Center Express (UCCX)
Virtualized Voice Browser (VVB)

For more information about this CVE-2024-20253 vulnerability, you can can check the official CISCO website.

Versions vulnerable to CVE-2024-20253

Product	Version
Packaged Contact Center Enterprise (PCCE)	12.0, 12.5
Unified Communications Manager (Unified CM)	11.5, 12.0, 12.5
Unified Communications Manager IM & Presence Service (Unified CM IM&P)	11.5, 12.0, 12.5
Unified Communications Manager Session Management Edition (Unified CM SME)	11.5, 12.0, 12.5
Unified Contact Center Enterprise (UCCE)	11.6, 12.0, 12.5
Unified Contact Center Express (UCCX)	11.6, 12.0, 12.5
Unity Connection	11.5, 12.0, 12.5
Virtualized Voice Browser (VVB)	11.6, 12.0, 12.5

If your product and version are on this list, I strongly recommend updating the software as soon as possible or applying the mitigation suggested by Cisco.

Mitigation and Fixed Releases

Customers are advised to upgrade to an appropriate fixed software release as indicated in this section. I attach the official information provided by CISCO in his official website.

Unified CM and Unified CM SME: CSCwd64245

Cisco Unified CM and Unified CM SME Release	First Fixed Release
11.5(1)	Migrate to a fixed release.
12.5(1)	12.5(1)SU8 or ciscocm.v1_java_deserial-CSCwd64245.cop.sha512
14	14SU3 or ciscocm.v1_java_deserial-CSCwd64245.cop.sha512
15	Not vulnerable.

Unified CM IM&P: CSCwd64276

Cisco Unified CM IM&P Release	First Fixed Release
11.5(1)	Migrate to a fixed release.
12.5(1)	12.5(1)SU8 or ciscocm.cup-CSCwd64276_JavaDeserialization.cop.sha512
14	14SU3 or ciscocm.cup-CSCwd64276_JavaDeserialization.cop.sha512
15	Not vulnerable.

Unity Connection: CSCwd64292

Cisco Unity Connection Release	First Fixed Release
11.5(1)	Migrate to a fixed release.
12.5(1)	12.5(1)SU8 or ciscocm.cuc.v1_java_deserial-CSCwd64292.k4.cop.sha512
14	14SU3 or ciscocm.cuc.v1_java_deserial-CSCwd64292.k4.cop.sha512
15	Not vulnerable.

UCCX: CSCwe18773