Cisco Unified Communications Manager Cross-Site Request Forgery Vulnerability
TL;DR 📌
A medium-severity Cross-Site Request Forgery (CSRF) vulnerability has been identified in Cisco Unified Communications Manager (Unified CM) and Unified CM Session Management Edition (SME). An unauthenticated attacker could exploit this vulnerability by tricking a user into clicking a malicious link, potentially allowing the attacker to perform actions with the user’s privileges. There are no workarounds available, and affected users should upgrade to fixed software versions.
What happened 🕵️♂️
A vulnerability was discovered in the web-based management interface of Cisco Unified Communications Manager and Unified CM Session Management Edition. This vulnerability allows an unauthenticated remote attacker to conduct a CSRF attack, which could enable them to perform arbitrary actions at the privilege level of the affected user. The vulnerability arises from insufficient CSRF protections in the management interface.
Affected products 🖥️
The following products are affected by this vulnerability:
- Cisco Unified Communications Manager (Unified CM)
- Cisco Unified CM Session Management Edition (SME)
Fixed software 🔧
Upgrade to the first fixed release in your train (or later):
| Release / Product | First Fixed Release | Notes |
|---|---|---|
| 12.5 | Migrate to a fixed release. | |
| 14 | Migrate to a fixed release. | |
| 15 | 15SU3 | |
| 1.0 | Initial public release. | |
| Cisco Unified CM and Unified CM SME | 15SU3 | 12.5, 14 |
Workarounds 🧯
There are no workarounds available that address this vulnerability.
Risk in context 🎯
The CVSS score for this vulnerability is 4.3, which is categorized as Medium severity. The risk is primarily driven by the potential for an unauthenticated attacker to exploit the vulnerability through social engineering tactics, such as persuading a user to click on a malicious link. This could lead to unauthorized actions being performed on the affected device.
Fast facts ⚡
- Vulnerability Type: Cross-Site Request Forgery (CSRF)
- CVSS Score: 4.3 (Medium)
- Exploitation: Requires user interaction; no authentication needed.
- Impact: Potential unauthorized actions at user privilege level.
- Workarounds: None available.
For leadership 🧭
A medium-risk vulnerability has been identified in Cisco Unified Communications Manager and Unified CM Session Management Edition, with a CVSS score of 4.3. The vulnerability allows unauthenticated attackers to exploit the system through CSRF attacks, requiring user interaction to be effective. Immediate remediation is necessary, with a recommendation to patch within 7 days to mitigate risks. The operational impact is expected to be minimal, involving a brief maintenance window with no configuration drift.
Now: Review the advisory and assess your current software versions.
Next: Plan to upgrade to the fixed releases as soon as possible.
Later: Monitor for any updates or additional advisories related to this vulnerability.