Call Center Management Featured Article
Cisco Warns Users of Major Vulnerability in Unified Contact Center Express Solution
For companies using Cisco (News - Alert)'s “call center in a box” solution, Unified Contact Center Express (Unified CCX), there is urgent news that could lead to major security breaches. The networking giant recently notified customers that a critical vulnerability in the product’s Java-based remote management interface could potentially allow a remote attacker without credentials to install malware on the device.
“The vulnerability is due to insecure deserialization of user-supplied content by the affected software,” according to Cisco. “An attacker could exploit this vulnerability by sending a malicious serialized Java object to a specific listener on an affected system. A successful exploit could allow the attacker to execute arbitrary code as the root user on an affected device.”
Cisco’s Unified CCX solution provides call centers with call routing, management, and administration features, and is designed for businesses ranging from very small to enterprise branch offices up to 400 agents. The company markets UCCX as ideal for formal and informal small to medium-size contact centers.
Cisco has confirmed that this vulnerability does not affect its Cisco Unified Contact Center product, its enterprise-level call center solution that accommodates up to 24,000 agents.
Identification of the problem was made by Brenden Meeder of Booz Allen Hamilton (News - Alert), who reported the flaw to Cisco. Thus far, Cisco has said it’s not aware of any attacks that have been made using the flaw on any installed solutions. The company is rating the flaw with a CVSS severity score of 9.8 out of a possible 10.
Cisco has released software updates that address this vulnerability. Cisco has urged customers on Unified CCX major releases earlier than 12.0 and those on a 12.0 release to migrate to release 12.0(1)ES03. Unified CCX 12.5 is not vulnerable, according to the company.
The company warns there are no workarounds that could address this vulnerability. This patch is available here.
Edited by Maurice Nagle