Security News > 2020 > May > Pre-authentication, remote root hole in call-center software? Thanks, Cisco. Just what a long weekend needs
We have a bunch of new security patches from Switchzilla, including one for a critical hole in its call-center software.
CVE-2020-3280 is a remote-code-execution vulnerability in the Java remote management interface for Unified Contact Center Express.
An unauthenticated, remote attacker able to exploit the flaw by supplying a malformed Java object can gain get root control over the management system.
The aim here, says Zoom, is to gradually overhaul its call encryption and security features, starting with public key management and then moving on to addressing identity management, transparency, and eventually adding real-time security protections.
As the bug is still under active attack, any admins who haven't applied the software update would be well-advised to make sure they are running the most current version of XG Firewall to keep their networks safe.
News URL
https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/05/25/security_roundup_220520/
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-05-22 | CVE-2020-3280 | Deserialization of Untrusted Data vulnerability in Cisco Unified Contact Center Express 12.0/12.0(1) A vulnerability in the Java Remote Management Interface of Cisco Unified Contact Center Express (Unified CCX) could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. | 9.8 |