Cisco this week issued a warning that some of its most widely used software contains a critical vulnerability that could allow a remote attacker to execute arbitrary code on an affected device and wreak havoc. The company urges users to immediately apply the patch to their endpoints.

Several of Cisco's Unified Communications Manager and Contact Center Solutions products provide enterprise-level voice, video, messaging services, and customer engagement and customer management, are affected by this flaw. Cisco explains in a security bulletin that the problem stems from improper handling of user-supplied data that is loaded into memory. To exploit the issue, a specially crafted message could be sent to one of the open network communication ports on the device, giving hackers an opening to execute malware with the privileges of a web service user. [Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system with the privileges of a web services user," Cisco said. 'Cisco states that By gaining access to the underlying operating system, an attacker could also establish root access on the affected device." [The flaw, known as CVE-2024-20253, was first discovered by Julien Egloff, a security researcher at Synacktiv, and is rated 9.9 out of 10 on the CVSS severity scale. For a full list of vulnerable products, see: [Cisco warns that there is currently no workaround for this issue and recommends that users apply any available security updates as soon as possible. If for some reason the updates cannot be applied immediately, the company advises administrators to set up access control lists on intermediate devices connected to the Cisco network as a mitigation measure. [Configure access control lists (ACLs) on intermediate devices that isolate the Cisco Unified Communications or Cisco Contact Center Solutions cluster from users and the rest of the network to allow access only to the port of the deployed service. only," the company states.

So far, Cisco concludes that it has found no evidence that hackers have exploited or disclosed this vulnerability.