Impact of Unauthenticated API Vulnerabilities: Cisco CUCM

Impact of Unauthenticated API Vulnerabilities: Cisco CUCM

Vulnerability : CVE-2023-20259

Impact of Unauthenticated API Vulnerabilities: Cisco CUCM

An unauthenticated, remote attacker may be able to induce significant CPU use through a vulnerability in an API endpoint of several Cisco Unified Communications Products. This could affect the ability to access the web-based management interface and result in delays when processing calls. 

This API is unlikely to be used in the course of the device's regular operations and is not used for device administration. Inadequate API request validation and incorrect API authentication are the causes of this vulnerability. An intruder may take advantage of this weakness by directing a specially constructed HTTP request to a particular device API. 

If the exploit is effective, the attacker might be able to employ excessive CPU consumption to create a denial of service (DoS) scenario, which would be detrimental to user traffic and management access. 

This vulnerability affects the following Cisco products independent of device configuration:

  • Emergency Responder (CSCwf62074)
  • Prime Collaboration Deployment (CSCwf62080)
  • Unified Communications Manager (Unified CM) (CSCwf44755)
  • Unified Communications Manager IM & Presence Service (Unified CM IM&P) (CSCwf62094)
  • Unified Communications Manager Session Management Edition (Unified CM SME) (CSCwf44755)
  • Unity Connection (CSCwf62081)

Cisco has confirmed that this vulnerability does not affect the following Cisco products:

  • Finesse
  • Hosted Collaboration Mediation Fulfillment (HCM-F)
  • Packaged Contact Center Enterprise (Packaged CCE)
  • Prime License Manager (PLM)
  • Remote Expert Mobile
  • SocialMiner
  • Unified Contact Center Domain Manager (Unified CCDM)
  • Unified Contact Center Express (Unified CCX)
  • Unified Contact Center Management Portal (Unified CCMP)
  • Unified Customer Voice Portal (CVP)
  • Unified Intelligence Center
  • Virtualized Voice Browser (VVB)