CVE-2022-20859

Cisco Unified Communications Products Access Control Vulnerability

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A vulnerability in the Disaster Recovery framework of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), and Cisco Unity Connection could allow an authenticated, remote attacker to perform certain administrative actions they should not be able to. This vulnerability is due to insufficient access control checks on the affected device. An attacker with read-only privileges could exploit this vulnerability by executing a specific vulnerable command on an affected device. A successful exploit could allow the attacker to perform a set of administrative actions they should not be able to.

Una vulnerabilidad en el marco de Recuperación de Desastres de Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), y Cisco Unity Connection podría permitir a un atacante autenticado y remoto llevar a cabo determinadas acciones administrativas que no deberían poder. Esta vulnerabilidad es debido a una comprobación de control de acceso insuficiente en el dispositivo afectado. Un atacante con privilegios de sólo lectura podría explotar esta vulnerabilidad al ejecutar un comando vulnerable específico en un dispositivo afectado. Una explotación con éxito podría permitir al atacante llevar a cabo una serie de acciones administrativas que no debería poder realizar

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-11-02 CVE Reserved
2022-07-06 CVE Published
2024-06-20 EPSS Updated
2024-09-17 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-284: Improper Access Control

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucm-access-dMKvV2DY	2023-11-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Cisco Search vendor "Cisco"		Unified Communications Manager Search vendor "Cisco" for product "Unified Communications Manager"				>= 14.0 < 14su2 Search vendor "Cisco" for product "Unified Communications Manager" and version " >= 14.0 < 14su2"		-		Affected
Cisco Search vendor "Cisco"		Unified Communications Manager Im And Presence Service Search vendor "Cisco" for product "Unified Communications Manager Im And Presence Service"				>= 14.0 < 14.0su2 Search vendor "Cisco" for product "Unified Communications Manager Im And Presence Service" and version " >= 14.0 < 14.0su2"		-		Affected
Cisco Search vendor "Cisco"		Unity Connection Search vendor "Cisco" for product "Unity Connection"				>= 14.0 < 14su2 Search vendor "Cisco" for product "Unity Connection" and version " >= 14.0 < 14su2"		-		Affected