Denial of Service Vulnerability in Cisco Unified Communications Products
CVE-2023-20259

7.5HIGH

Key Information:

Vendor: Cisco
Status: Cisco Emergency Responder; Cisco Unity Connection; Cisco Unified Communications Manager; Cisco Unified Communications Manager IM and Presence Service
Vendor: CVE Published:; 4 October 2023

Summary

A vulnerability exists within an improperly secured API endpoint across various Cisco Unified Communications Products. An unauthenticated remote attacker could exploit this flaw by sending a specially crafted HTTP request. This could result in excessive CPU utilization, leading to potential delays in call processing and affecting access to the web-based management interface. This API is not meant for device management and its exploitation could result in a denial of service condition. Fortunately, once the attack ceases, the affected devices are designed to recover automatically without needing manual intervention.

Affected Version(s)

Cisco Emergency Responder 12.5(1)SU7

Cisco Emergency Responder 14

Cisco Emergency Responder 14SU3

References

https://sec.cloudapps.cisco.com/security/center/content/C...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 4, 2023
Vulnerability Reserved
Oct 27, 2022