Remote Code Execution Flaw in Cisco Unified Communications Domain Manager
CVE-2018-0124

9.8CRITICAL

Key Information:

Vendor
Cisco
Status
Cisco Unified Communications Domain Manager
Vendor
CVE Published:
22 February 2018

Summary

A security flaw in Cisco Unified Communications Domain Manager could allow an unauthenticated remote attacker to exploit the system by bypassing essential security mechanisms. This vulnerability arises from insecure key generation during the application's configuration process. An attacker can exploit this security weakness by sending specially crafted requests using a known insecure key, gaining elevated privileges and executing arbitrary code within the application. As a result, it poses a significant risk to systems running affected versions of the product prior to 11.5(2). For further information, refer to Cisco’s Security Advisory.

Affected Version(s)

Cisco Unified Communications Domain Manager Cisco Unified Communications Domain Manager

References

http://www.securityfocus.com/bid/103114
vdb-entryx_refsource_BID
http://www.securitytracker.com/id/1040405
vdb-entryx_refsource_SECTRACK
https://tools.cisco.com/security/center/content/CiscoSecu...
x_refsource_CONFIRM

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.