CVE-2021-1362: Cisco Unified Communications Products Remote Code Execution Vulnerability Alert

On April 7, 2021, Cisco released a risk notice for the Unified Communications products, the vulnerability number is CVE-2021-1362. The CVSS score is 8.8.

The Cisco Unified Suite is a powerful call processing component in the Cisco Unified Communications solution. There is a remote code execution vulnerability in this component. Exploiting this vulnerability requires the attacker to have system login credentials.

Vulnerability Detail

This vulnerability is due to improper sanitization of user-supplied input. An attacker could exploit this vulnerability by sending a SOAP API request with crafted parameters to an affected device. A successful exploit could allow the attacker to execute arbitrary code with root privileges on the underlying Linux operating system of the affected device.

Affected version

Unified CM and Unified CM SME: CSCvu56491

Cisco Unified CM and Unified CM SME Releases First Fixed Release for This Vulnerability
10.5(2) None planned
11.0(1) Migrate to 11.5(1)SU9
11.5(1) 11.5(1)SU9
12.0(1) Migrate to 12.5(1)SU4
12.5(1) 12.5(1)SU4

Unified CM IM&P: CSCvv41616

Cisco Unified CM IM&P Releases First Fixed Release for This Vulnerability
10.5(2) None planned
11.0(1) Migrate to 11.5(1)SU9
11.5(1) 11.5(1)SU9
12.0(1) Migrate to 12.5(1)SU4
12.5(1) 12.5(1)SU4

Unity Connection: CSCvv35203

Cisco Unity Connection Releases First Fixed Release for This Vulnerability
10.5(2) None planned
11.0(1) Migrate to 11.5(1)SU9
11.5(1) 11.5(1)SU9
12.0(1) Migrate to 12.5(1)SU4
12.5(1) 12.5(1)SU4

Prime License Manager: CSCvv59434

Cisco Prime License Manager Releases First Fixed Release for This Vulnerability
10.5(2) None planned
11.0(1) Migrate to 11.5(1)SU9
11.5(1) 11.5(1)SU9

Solution

In this regard, we recommend that users upgrade the Unified series components to the latest version in time.