CVE-2023-20266

Name of the Vulnerable Software and Affected Versions Cisco Emergency Responder (affected versions not specified) Cisco Unified Communications Manager (affected versions not specified) Cisco Unified Communications Manager Session Management Edition (affected versions not specified) Cisco Unity Connection (affected versions not specified)

Description A vulnerability in the mentioned Cisco products could allow an authenticated, remote attacker to elevate privileges to root on an affected device. This issue exists because the application does not properly restrict the files used for upgrades. An attacker could exploit this by providing a crafted upgrade file, allowing them to elevate privileges to root. The attacker must have valid platform administrator credentials on an affected device to exploit this vulnerability.

Recommendations For Cisco Emergency Responder, consider disabling the upgrade feature until a patch is available. For Cisco Unified Communications Manager, restrict access to upgrade files to minimize the risk of exploitation. For Cisco Unified Communications Manager Session Management Edition, avoid using crafted upgrade files until the issue is resolved. For Cisco Unity Connection, as a temporary workaround, consider restricting administrator access to the system until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.