Cisco Systems has rolled out security updates for a critical
security vulnerability affecting Unified Contact Center Management
Portal (Unified CCMP) and Unified Contact Center Domain Manager
(Unified CCDM) that could be exploited by a remote attacker to take
control of an affected system.
Tracked as CVE-2022-20658, the vulnerability
has been rated 9.6 in severity on the CVSS scoring system, and
concerns a privilege escalation flaw arising out of a lack of
server-side validation of user permissions that could be weaponized
to create rogue Administrator accounts by submitting a crafted HTTP
request.
“With these accounts, the attacker could access and modify
telephony and user resources across all the Unified platforms that
are associated to the vulnerable Cisco Unified CCMP,” Cisco
noted[1]
in an advisory published this week. ” To successfully exploit this
vulnerability, an attacker would need valid Advanced User
credentials.”
Unified CCMP and Unified CCDM product versions 12.5.1, 12.0.1,
and 11.6.1 and earlier running with default configuration are
impacted, the networking equipment company said, adding it found
the issue as part of a Technical Assistance Center (TAC) support
case. Version 12.6.1 of the software is not affected.
While there is no evidence that the security flaw has been
exploited in real-world attacks, it’s recommended that users
upgrade to the latest version to mitigate the risk associated with
the flaws.
Read more https://thehackernews.com/2022/01/cisco-releases-patch-for-critical-bug.html