Security News > 2022 > January > Critical Cisco Contact Center Bug Threatens Customer-Service Havoc
A critical security bug affecting Cisco's Unified Contact Center Enterprise portfolio could allow privilege-escalation and platform takeover.
The bug in question is a particularly nasty one, with a critical rating of 9.6 out of 10 on the CVSS vulnerability-severity scale, and could allow authenticated, remote attackers to elevate their privileges to administrator, with the ability to create other administrator accounts.
It specifically exists in the web-based management interface of Cisco Unified Contact Center Management Portal and Cisco Unified Contact Center Domain Manager and stems from the fact that the server relies on authentication mechanisms handled by the client side.
The CCMP is a management tool that gives contact-center supervisors the ability to move, add and change agents working in different areas of the contact center between different call queues, brands, product lines and more.
Armed with additional admin accounts, attackers could access and modify telephony and user resources across all of platforms that are associated to the vulnerable Cisco Unified CCMP, Cisco warned.
In 2020 a critical bug in its "Contact center in-a-box" platform, Unified Contact Center Express, was found to allow remote code-execution.
News URL
https://threatpost.com/critical-cisco-contact-center-bug/177681/
Related news
- Cisco Fixes Critical Privilege Escalation Flaw in Meeting Management (CVSS 9.9) (source)
- Cisco fixes ClamAV vulnerability with available PoC and critical Meeting Management flaw (source)
- Patch now: Cisco fixes critical 9.9-rated, make-me-admin bug in Meeting Management (source)
- Cisco Patches Critical ISE Vulnerabilities Enabling Root CmdExec and PrivEsc (source)
- Critical Cisco ISE bug can let attackers run commands as root (source)