CVE-2021-1362: Cisco Unified Communications Products Remote Code Execution Vulnerability Alert
The Cisco Unified Suite is a powerful call processing component in the Cisco Unified Communications solution. There is a remote code execution vulnerability in this component. Exploiting this vulnerability requires the attacker to have system login credentials.
Vulnerability Detail
This vulnerability is due to improper sanitization of user-supplied input. An attacker could exploit this vulnerability by sending a SOAP API request with crafted parameters to an affected device. A successful exploit could allow the attacker to execute arbitrary code with root privileges on the underlying Linux operating system of the affected device.
Affected version
Unified CM and Unified CM SME: CSCvu56491
Cisco Unified CM and Unified CM SME Releases First Fixed Release for This Vulnerability 10.5(2) None planned 11.0(1) Migrate to 11.5(1)SU9 11.5(1) 11.5(1)SU9 12.0(1) Migrate to 12.5(1)SU4 12.5(1) 12.5(1)SU4 Unified CM IM&P: CSCvv41616
Cisco Unified CM IM&P Releases First Fixed Release for This Vulnerability 10.5(2) None planned 11.0(1) Migrate to 11.5(1)SU9 11.5(1) 11.5(1)SU9 12.0(1) Migrate to 12.5(1)SU4 12.5(1) 12.5(1)SU4 Unity Connection: CSCvv35203
Cisco Unity Connection Releases First Fixed Release for This Vulnerability 10.5(2) None planned 11.0(1) Migrate to 11.5(1)SU9 11.5(1) 11.5(1)SU9 12.0(1) Migrate to 12.5(1)SU4 12.5(1) 12.5(1)SU4 Prime License Manager: CSCvv59434
Cisco Prime License Manager Releases First Fixed Release for This Vulnerability 10.5(2) None planned 11.0(1) Migrate to 11.5(1)SU9 11.5(1) 11.5(1)SU9
Solution
In this regard, we recommend that users upgrade the Unified series components to the latest version in time.