Update your Cisco products now: Critical security flaw lets hackers hijack software

News
By published

Cisco has already issued a patch to fix the issue

The Cisco logo shown on a smartphone
(Image credit: Alamy)

Cisco issued a warning this week that some of its most widely used software contains a critical vulnerability that could let remote attackers execute arbitrary code on an affected device and wreak havoc. The company is urging users to patch their endpoints immediately.

Several of Cisco's Unified Communications Manager and Contact Center Solutions products, which provide enterprise-level voice, video and messaging services as well as customer engagement and customer management, are impacted by this flaw. The issue stems from improper processing of user-supplied data that is being read into memory, Cisco explained in a security bulletin. It can be exploited by sending a specially crafted message to one of the network communication ports opened on the device, potentially giving hackers an opening to execute malware with the privileges of the web services user.

"A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of the web services user," Cisco said. "With access to the underlying operating system, the attacker could also establish root access on the affected device."

The flaw, known as CVE-2024-20253, was first uncovered by Synacktiv security researcher Julien Egloff. It's rated 9.9 out of 10 on the CVSS severity scale. You can find a full list of vulnerable products below: 

  • Unified Communications Manager (Unified CM) (CSCwd64245)
  • Unified Communications Manager IM & Presence Service (Unified CM IM&P) (CSCwd64276)
  • Unified Communications Manager Session Management Edition (Unified CM SME) (CSCwd64245)
  • Unified Contact Center Express (UCCX) (CSCwe18773)
  • Unity Connection (CSCwd64292)
  • Virtualized Voice Browser (VVB) (CSCwe18840)

Currently, there is no workaround for this issue, Cisco warns, so it's recommending its users apply the available security updates as soon as possible. If for whatever reason applying the updates is not immediately possible, the company advises administrators to set up access control lists on intermediary devices connected to Cisco networks as a mitigation strategy.

"Establish access control lists (ACLs) on intermediary devices that separate the Cisco Unified Communications or Cisco Contact Center Solutions cluster from users and the rest of the network to allow access only to the ports of deployed services," the company said.

So far, there's been no evidence found of hackers exploiting or publicizing this vulnerability, Cisco concluded. 

More from Tom's Guide

See more Computing News
TOPICS
Alyse Stanley
Alyse Stanley
News Editor

Alyse Stanley is a news editor at Tom’s Guide, overseeing weekend coverage and writing about the latest in tech, gaming, and entertainment. Before Tom’s Guide, Alyse worked as an editor for the Washington Post’s sunsetted video game section, Launcher. She previously led Gizmodo’s weekend news desk and has written game reviews and features for outlets like Polygon, Unwinnable, and Rock, Paper, Shotgun. She’s a big fan of horror movies, cartoons, and roller skating.

Read more
Android 12
Google March Android Security Update fixes two high severity vulnerabilities — update now
iPhone 16 Pro shown held in hand
Apple just patched its first zero-day flaw of the year — update your iPhone and Mac right now
Google Pixel 9 held in the hand.
Google just fixed a zero-day kernel flaw used by hackers and 47 other vulnerabilities — update your Android phone right now
Image of technical screen displaying system hacked warning
SonicWall VPN hit with second vulnerability
Windows
240 million Windows 10 users are vulnerable to six different hacker exploits — protect yourself now
MacBook Pro 16-inch 2021 sitting on a patio table
Critical macOS flaw puts your data and cameras at risk — update right now
Latest in Computing
Samsung Odyssey OLED G9 monitor
This epic Samsung 49-inch ultrawide OLED monitor just got a massive $650 price cut for Amazon's Big Spring Sale
Surface Laptop 7 from the front
Amazon just gave Surface Laptop 7 a 'frequently returned' label — here's what's going on
23andME box
23andMe has declared bankruptcy — here's how to delete your data now
Russian flag with padlock smashing through glass
47 VPNs could be axed from Google Play Store following Russian demands
nvidia rtx 50 series
RTX 5060 Ti release date just tipped for April 16 — HP seemingly confirms Nvidia's next-gen GPUs
Ray-Ban Meta Smart Glasses
Samsung’s 'Haean' smart glasses will reportedly launch this year — here's everything to expect
Latest in News
Disney Plus logo
Disney Plus upgrade just fixed one of my biggest problems with the home page
Tom Hiddleston as Robert Laing in "High Rise" now streaming on Netflix
5 best Netflix movies in March you haven't watched yet
iPhone 16 with Apple Intelligence logo for iOS 18.1
iOS 18.4: All the newest Apple Intelligence features coming to your iPhone
Maria Debska in "Just One Look" now streaming on Netflix
3 best Netflix shows in March you haven't watched yet
Split image featuring the Galaxy S25 Edge (left) and Galaxy S25 Ultra (right)
Samsung Galaxy S25 Edge just tipped for two Galaxy S25 Ultra-level features
Wolfenstein: The Old Blood
Amazon is giving away a ton of free games for its Big Spring Sale — here’s how to claim yours
More about computing
Samsung Odyssey OLED G9 monitor

This epic Samsung 49-inch ultrawide OLED monitor just got a massive $650 price cut for Amazon's Big Spring Sale
Surface Laptop 7 from the front

Amazon just gave Surface Laptop 7 a 'frequently returned' label — here's what's going on

Pixel 9 with Amazon Spring Sale badge.

Sorry Amazon — Mint Mobile has you beat with this $579 Pixel 9 deal
See more latest
Most Popular
COLUMBUS, OHIO - JANUARY 26: Amber Glenn skates in the Women's Free Skate during the U.S. Figure Skating Championships at Nationwide Arena on January 26, 2024 in Columbus, Ohio. (Photo by Matthew Stockman/Getty Images)
How to watch World Figure Skating Championships 2025: live streaming, schedule, what TV channel?
Disney Plus logo
Disney Plus upgrade just fixed one of my biggest problems with the home page
Tom Hiddleston as Robert Laing in "High Rise" now streaming on Netflix
5 best Netflix movies in March you haven't watched yet
Split image featuring the Galaxy S25 Edge (left) and Galaxy S25 Ultra (right)
Samsung Galaxy S25 Edge just tipped for two Galaxy S25 Ultra-level features
iPhone 16 with Apple Intelligence logo for iOS 18.1
iOS 18.4: All the newest Apple Intelligence features coming to your iPhone
Maria Debska in "Just One Look" now streaming on Netflix
3 best Netflix shows in March you haven't watched yet
Wolfenstein: The Old Blood
Amazon is giving away a ton of free games for its Big Spring Sale — here’s how to claim yours
Park Ji-hoon in "Park Ji-hoon" now streaming on Netflix
Netflix just added this action-packed drama ahead of season 2 — and viewers rate it 96% on Rotten Tomatoes
Dark Side of the Ring
How to watch 'Dark Side of the Ring' season 6 online — stream wrestling doc from anywhere
A TV with the Netflix logo sits behind a hand holding a remote
Netflix is rolling out a big video quality upgrade — what you need to know