What is CVE-2024-20253?

CVE-2024-20253 is a critical-severity vulnerability in Cisco Packaged Contact Center Enterprise, classified under Deserialization of Untrusted Data. CVSS score: 9.9/10. Published 2024-01-26.

How severe is CVE-2024-20253?

Critical severity. CVSS v3 base score is 9.9 out of 10.

Is CVE-2024-20253 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Deserialization in Cisco Packaged Contact Center Enterprise

CVE-2024-20253

A vulnerability in multiple Cisco Unified Communications and Contact Center Solutions products could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to the improper proce…

Vulnerability class: Insecure Deserialization

EPSS: 0.030 (86.9th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.9 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H.

Affected products

Cisco Packaged Contact Center Enterprise — versions 10.5(1), 10.5(2), 10.5(1)_ES7
Cisco Unified Communications Manager — versions 12.0(1)SU1, 12.0(1)SU2, 12.0(1)SU3
Cisco Unified Communications Manager / Unity Connection — versions 10.5(2)SU10, 10.5(1), 10.5(1)SU1
Cisco Unified Communications Manager Im And Presence Service — versions 10.5(1), 10.5(2), 10.5(2a)
Cisco Unified Contact Center Enterprise — versions N/A
Cisco Unified Contact Center Express — versions 8.5(1), 9.0(2)SU3ES04, 10.0(1)SU1
Cisco Unity Connection — versions 12.0(1)SU1, 12.0(1)SU2, 12.0(1)SU3
Cisco Virtualized Voice Browser — versions 11.0(1), 11.5(1), 11.5(1)ES29

Weakness classification (CWE)

CWE-502 — Deserialization of Untrusted Data

Public proof-of-concept exploits

EfstratiosLontzetidis/blogs_

References

cisco-sa-cucm-rce-bWNzQcUm

Frequently asked questions

What is CVE-2024-20253?: CVE-2024-20253 is a critical-severity vulnerability in Cisco Packaged Contact Center Enterprise, classified under Deserialization of Untrusted Data. CVSS score: 9.9/10. Published 2024-01-26.
How severe is CVE-2024-20253?: Critical severity. CVSS v3 base score is 9.9 out of 10.
Is CVE-2024-20253 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.