The networking technologies company Cisco has released a new patch related to the CVE-2022-20658 flaw. This flaw has a CVSS rating of 9.6, which makes it categorized as “critical”. This flaw affects the Unified Contact Center Management Portal and Unified Contact Center Domain Manager server components.
Attackers can create admin accounts
With this vulnerability, attackers can access and modify telephony and user resources across all the Unified platforms associated with the unpatched Cisco Unified CCMP. This could happen because of the lack of server-side validation of user permissions. An attacker can easily create an administrator account by submitting a crafted HTTP request to a vulnerable system.
According to Cisco, there is no workaround for this CVE other than applying the software updates. The vulnerability only affects Cisco Unified CCMP / CCDM releases of 12.5.1, 12.0.1, 11.6.1, and earlier versions. The 12.6.1 version is not affected by the flaw.
It is a critical flaw, so a quick response is essential to protect vulnerable systems from potential attackers. Currently, no actual attack has been seen on the wild using this flaw. However, threat actors might start looking for unpatched systems to exploit soon enough.