Privilege Escalation Vulnerability in Cisco Unified Communications Products
CVE-2023-20266

7.2HIGH

Key Information:

Vendor: Cisco
Status: Cisco Emergency Responder; Cisco Unity Connection; Cisco Unified Communications Manager
Vendor: CVE Published:; 30 August 2023

Summary

A security flaw exists in Cisco Emergency Responder and related Unified Communications products, allowing an authenticated remote attacker to gain root privileges. This vulnerability arises due to inadequate restrictions on the upgrade files utilized by the application. An attacker with valid platform administrator credentials could exploit this weakness by deploying a specially crafted upgrade file, thereby elevating their access rights and compromising the affected device's integrity.

Affected Version(s)

Cisco Emergency Responder 12.5(1)SU4

Cisco Emergency Responder 12.5(1)SU8a

Cisco Emergency Responder 14SU3

References

https://sec.cloudapps.cisco.com/security/center/content/C...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 30, 2023
Vulnerability Reserved
Oct 27, 2022