Security News > 2020 > May > Cisco fixes critical RCE flaw in call center solution
Cisco has patched a critical remote code execution hole in Cisco Unified Contact Center Express, its "Contact center in a box" solution, and is urging administrators to upgrade to a fixed software version.
"The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit this vulnerability by sending a malicious serialized Java object to a specific listener on an affected system. A successful exploit could allow the attacker to execute arbitrary code as the root user on an affected device," Cisco explained.
Another piece of good news is that Cisco Talos released Snort rules for protecting against exploitation of the flaw.
According to Cisco, its Cisco Unified Contact Center - a solution for much larger customer contact centers - is not affected by CVE-2020-3280.
In the last couple of days, Cisco has also squashed two high-risk DoS vulnerabilities - one affecting its MDS 9000 Series Multilayer Switches and the other affecting Cisco Prime Network Registrar, a DNS, SHCP and IP address management appliance - and three of medium severity affecting Cisco Prime Collaboration Provisioning Software, Cisco AMP for Endpoints Mac Connector Software, and Cisco AMP for Endpoints Linux Connector Software.
News URL
http://feedproxy.google.com/~r/HelpNetSecurity/~3/gX40pMwonIg/
Related news
- Synology Urges Patch for Critical Zero-Click RCE Flaw Affecting Millions of NAS Devices (source)
- Cisco Releases Patch for Critical URWB Vulnerability in Industrial Wireless Systems (source)
- Critical vulnerability in Cisco industrial wireless access points fixed (CVE-2024-20418) (source)
- Cisco scores a perfect CVSS 10 with critical flaw in its wireless system (source)
- HPE warns of critical RCE flaws in Aruba Networking access points (source)
- Critical Veeam RCE bug now used in Frag ransomware attacks (source)
- Palo Alto Networks warns of critical RCE zero-day exploited in attacks (source)
- Critical RCE bug in VMware vCenter Server now exploited in attacks (source)
- Critical 9.8-rated VMware vCenter RCE bug exploited after patch fumble (source)
- Veeam warns of critical RCE bug in Service Provider Console (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2020-05-22 | CVE-2020-3280 | Deserialization of Untrusted Data vulnerability in Cisco Unified Contact Center Express 12.0/12.0(1) A vulnerability in the Java Remote Management Interface of Cisco Unified Contact Center Express (Unified CCX) could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. | 9.8 |