cisco-sa-cucm-rce-pqVYwyb: Cisco Unified Communications Products Remote Code Execution Vulnerability
First published: Wed Apr 07 2021(Updated: )
A vulnerability in the SOAP API endpoint of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, Cisco Unity Connection, and Cisco Prime License Manager could allow an authenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to improper sanitization of user-supplied input. An attacker could exploit this vulnerability by sending a SOAP API request with crafted parameters to an affected device. A successful exploit could allow the attacker to execute arbitrary code with root privileges on the underlying Linux operating system of the affected device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-rce-pqVYwyb
Credit: Christopher Schneider State Farm Information Security
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Cisco Unified CM and Unified CM SME Releases | =12.5(1)<12.5(1)SU4=12.0(1)<Migrate to 12.5(1)SU4=11.5(1)<11.5(1)SU9>=10.5(2)<=11.0(1)<Migrate to 11.5(1)SU9 | 12.5(1)SU4 Migrate to 12.5(1)SU4 11.5(1)SU9 Migrate to 11.5(1)SU9 |
| Cisco Unified CM IM&P Releases | =12.5(1)<12.5(1)SU4=12.0(1)<Migrate to 12.5(1)SU4=11.5(1)<11.5(1)SU9>=10.5(2)<=11.0(1)<Migrate to 11.5(1)SU9 | 12.5(1)SU4 Migrate to 12.5(1)SU4 11.5(1)SU9 Migrate to 11.5(1)SU9 |
| Cisco Unity Connection Releases | =12.5(1)<12.5(1)SU4=12.0(1)<Migrate to 12.5(1)SU4=11.5(1)<11.5(1)SU9>=10.5(2)<=11.0(1)<Migrate to 11.5(1)SU9 | 12.5(1)SU4 Migrate to 12.5(1)SU4 11.5(1)SU9 Migrate to 11.5(1)SU9 |
| Cisco Prime License Manager Releases | =11.5(1)<11.5(1)SU9>=10.5(2)<=11.0(1)<Migrate to 11.5(1)SU9 | 11.5(1)SU9 Migrate to 11.5(1)SU9 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this Cisco Unified Communications Products vulnerability?
The vulnerability ID for this Cisco Unified Communications Products vulnerability is cisco-sa-cucm-rce-pqVYwyb.
What is the severity of the Cisco Unified Communications Products vulnerability?
The severity of the Cisco Unified Communications Products vulnerability is high with a severity value of 8.8.
Which Cisco products are affected by the Cisco Unified Communications Products vulnerability?
The Cisco Unified Communications Products vulnerability affects Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, Cisco Unity Connection, and Cisco Prime License Manager.
How can I fix the Cisco Unified Communications Products vulnerability?
To fix the Cisco Unified Communications Products vulnerability, you should update to one of the recommended versions provided by Cisco.
Where can I find more information about the Cisco Unified Communications Products vulnerability?
You can find more information about the Cisco Unified Communications Products vulnerability on the Cisco Security Advisory page.
- agent/type
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- collector/cisco-advisory
- source/Cisco
- agent/software-canonical-lookup
- agent/severity
- agent/references
- agent/weakness
- agent/title
- agent/author
- agent/description
- agent/event
- agent/tags
- vendor/cisco
- canonical/cisco unified cm and unified cm sme releases
- version/cisco unified cm and unified cm sme releases/12.5(1)
- version/cisco unified cm and unified cm sme releases/12.0(1)
- version/cisco unified cm and unified cm sme releases/11.5(1)
- version/cisco unified cm and unified cm sme releases/10.5(2)
- version/cisco unified cm and unified cm sme releases/11.0(1)
- canonical/cisco unified cm im&p releases
- version/cisco unified cm im&p releases/12.5(1)
- version/cisco unified cm im&p releases/12.0(1)
- version/cisco unified cm im&p releases/11.5(1)
- version/cisco unified cm im&p releases/10.5(2)
- version/cisco unified cm im&p releases/11.0(1)
- canonical/cisco unity connection releases
- version/cisco unity connection releases/12.5(1)
- version/cisco unity connection releases/12.0(1)
- version/cisco unity connection releases/11.5(1)
- version/cisco unity connection releases/10.5(2)
- version/cisco unity connection releases/11.0(1)
- canonical/cisco prime license manager releases
- version/cisco prime license manager releases/11.5(1)
- version/cisco prime license manager releases/10.5(2)
- version/cisco prime license manager releases/11.0(1)