Organizations using Cisco's call-center platform, Unified Contact Center Express (Unified CCX), should update the software urgently, Cisco has warned.
The company has released updates for the Unified CCX platform to address a critical deserialization vulnerability in its Java-based remote management interface, which could allow a remote attacker without credentials to install malware on the device.
Cisco describes Unified CCX as a "'contact center in a box' that provides a secure and easy to deploy customer interaction management solution for up to 400 agents".
SEE: Cybersecurity: Let's get tactical (free PDF)
Brenden Meeder, a security expert from Edward Snowden's former employer, Booze Allen Hamilton, found he could compromise Unified CCX systems from afar by sending a malicious serialized Java object to the remote management interface.
"A successful exploit could allow the attacker to execute arbitrary code as the root user on an affected device," Cisco warns.
Cisco says the bug doesn't affect the bigger Cisco Unified Contact Center, which supports contact centers with up to 24,000 agents.
To address the bug, Cisco is urging customers on Unified CCX major releases earlier than 12.0 and those on a 12.0 release to migrate to release 12.0(1)ES03. Unified CCX 12.5 is not vulnerable.
The vulnerability is being tracked as CVE-2020-3280 and has a CVSS severity score of 9.8 out of a possible 10.
However Cisco's Product Security Incident Response Team (PSIRT) said it wasn't aware of any attacks in the wild on this flaw.
SEE: Cisco virtual roundtable: How to solve the digital divide impacting remote workforces and online classrooms
Cisco also released updates to fix a high-severity denial-of-service vulnerability affecting the DHCP server of Cisco Prime Network Registrar.
There are two more recently fixed medium-severity flaws that were addressed, including an SQL injection affecting the web-based management interface of Cisco Prime Collaboration Provisioning Software, and a denial-of-service flaw affecting the file scan process of Cisco AMP for Endpoints Mac Connector Software.
More on Cisco and network securityCisco: These 12 high-severity bugs in ASA and Firepower security software need patching
Cisco critical bug: Static password in Smart Software Manager – patch now, says Cisco
Cisco: Patch this critical firewall bug in Firepower Management Center
Critical Cisco DCNM flaws: Patch right now as PoC exploits are released
Cisco critical bugs: Nexus data center switch software needs patching now
Cisco: All these routers have the same embedded crypto keys, so update firmware
Cisco: These Wi-Fi access points are easily owned by remote hackers, so patch now
Cisco warning: These routers running IOS have 9.9/10-severity security flaw
Patch now: Cisco IOS XE routers exposed to rare 10/10-severity security flaw
Seriously? Cisco put Huawei X.509 certificates and keys into its own switchesHow to improve cybersecurity for your business: 6 tips TechRepublic
New cybersecurity tool lets companies Google their systems for hackers CNET