Cisco Unified Communications Manager CAPF Unauthenticated Device Information Update Vulnerability

A vulnerability in the Certificate Authority Proxy Function (CAPF) of Cisco Unified Communications Manager (Cisco Unified CM) could allow an unauthenticated, remote attacker to change information related to registered devices.

The vulnerability is due to insufficient authentication enforcement. An attacker could exploit this vulnerability by submitting crafted information regarding the device to CAPF. An exploit could allow the attacker to change certain information regarding a registered device.

Cisco has confirmed the vulnerability in a security notice; however, software updates are not available.

Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.