Update your Cisco products now: Critical security flaw lets hackers hijack software

The Cisco logo shown on a smartphone
(Image credit: Alamy)

Cisco issued a warning this week that some of its most widely used software contains a critical vulnerability that could let remote attackers execute arbitrary code on an affected device and wreak havoc. The company is urging users to patch their endpoints immediately.

Several of Cisco's Unified Communications Manager and Contact Center Solutions products, which provide enterprise-level voice, video and messaging services as well as customer engagement and customer management, are impacted by this flaw. The issue stems from improper processing of user-supplied data that is being read into memory, Cisco explained in a security bulletin. It can be exploited by sending a specially crafted message to one of the network communication ports opened on the device, potentially giving hackers an opening to execute malware with the privileges of the web services user.

"A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of the web services user," Cisco said. "With access to the underlying operating system, the attacker could also establish root access on the affected device."

The flaw, known as CVE-2024-20253, was first uncovered by Synacktiv security researcher Julien Egloff. It's rated 9.9 out of 10 on the CVSS severity scale. You can find a full list of vulnerable products below: 

  • Unified Communications Manager (Unified CM) (CSCwd64245)
  • Unified Communications Manager IM & Presence Service (Unified CM IM&P) (CSCwd64276)
  • Unified Communications Manager Session Management Edition (Unified CM SME) (CSCwd64245)
  • Unified Contact Center Express (UCCX) (CSCwe18773)
  • Unity Connection (CSCwd64292)
  • Virtualized Voice Browser (VVB) (CSCwe18840)

Currently, there is no workaround for this issue, Cisco warns, so it's recommending its users apply the available security updates as soon as possible. If for whatever reason applying the updates is not immediately possible, the company advises administrators to set up access control lists on intermediary devices connected to Cisco networks as a mitigation strategy.

"Establish access control lists (ACLs) on intermediary devices that separate the Cisco Unified Communications or Cisco Contact Center Solutions cluster from users and the rest of the network to allow access only to the ports of deployed services," the company said.

So far, there's been no evidence found of hackers exploiting or publicizing this vulnerability, Cisco concluded. 

More from Tom's Guide

TOPICS
Alyse Stanley
News Editor

Alyse Stanley is a news editor at Tom’s Guide overseeing weekend coverage and writing about the latest in tech, gaming, and entertainment.Prior to joining Tom’s Guide, Alyse worked as an editor for the Washington Post’s sunsetted video game section, Launcher. She previously led Gizmodo’s weekend news desk and has written game reviews and features for outlets like Polygon, Unwinnable, and Rock, Paper, Shotgun. She’s a big fan of horror movies, cartoons, and roller skating.

Read more
Android 12
Google March Android Security Update fixes two high severity vulnerabilities — update now
iPhone 16 Pro shown held in hand
Apple just patched its first zero-day flaw of the year — update your iPhone and Mac right now
Google Pixel 9 held in the hand.
Google just fixed a zero-day kernel flaw used by hackers and 47 other vulnerabilities — update your Android phone right now
Image of technical screen displaying system hacked warning
SonicWall VPN hit with second vulnerability
Windows
240 million Windows 10 users are vulnerable to six different hacker exploits — protect yourself now
MacBook Pro 16-inch 2021 sitting on a patio table
Critical macOS flaw puts your data and cameras at risk — update right now
Latest in Computing
A purple Chilkey ND75 LP mechanical keyboard
This low-profile keyboard is what I needed to get me into modding — and it stuns with its performance
Ray-Ban Meta Smart Glasses
I love my Ray-Ban Meta smart glasses — but Zuckerberg's plan to create Oakley's my Dad would wear is kind of cringe
Nvidia GeForce RTX 5070 Ti
I'm worried about the latest Nvidia RTX 5060 price leak — but one thing could change my mind
Intel CPU
Intel's Panther Lake appears in public for the first time — what we know about the new chip
Windows
240 million Windows 10 users are vulnerable to six different hacker exploits — protect yourself now
Google's Project Astra working on prototype smartglasses in an advertisement
Google just acquired this eye tracking company — hinting at the return of Google glasses
Latest in News
Nintendo Switch 2
Nintendo Switch 2 just tipped for big price hike right before launch event
Jason Sudeikis as Ted Lasso in Ted Lasso season 3
‘Ted Lasso’ season 4 is official — here’s what Jason Sudeikis revealed
Nintendo Switch 2
Nintendo Switch 2 shipments rumor hints at possible release window
android 16 logo on a samsung galaxy smartphone
One of Apple’s most controversial AI features could be coming to Android phones
iPhone 17 Pro render
iPhone 17 Pro Max leak claims it’s ready for production — and seems to confirm its new design
Cristin Milioti in "Black Mirror" season 7 coming to Netflix
‘Black Mirror’ season 7 trailer teases some of the darkest episodes yet — here’s when you can stream it