Main Vulnerability Database Vulnerabilities #VU15768

#VU15768 OS command injection in Cisco Unity Express - CVE-2018-15381

Published: November 7, 2018 / Updated: November 8, 2018

Vulnerability identifier: #VU15768

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2018-15381

CWE-ID: CWE-78

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Cisco Unity Express

Software vendor:
Cisco Systems, Inc

Description

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to insecure deserialization of user-supplied content. A remote unauthenticated attacker can send a malicious serialized Java object to the listening Java Remote Method Invocation (RMI) service and execute arbitrary shell commands on the device with root privileges.

Remediation

Update to version 9.0.6.

External links

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-cue