Cisco Unified Communications Manager DNA Arbitrary File Upload Vulnerability

A vulnerability in the Multiple Analyzer of the Cisco Unified Communications Manager Dialed Number Analyzer (DNA) could allow an authenticated, remote attacker to upload arbitrary files to a restricted location on the filesystem.

The vulnerability is due to insufficient parameter validation. An attacker could exploit this vulnerability by submitting crafted data to the web server.

Cisco has confirmed the vulnerability in a security notice; however, software updates are not available.

Although an attacker must authenticate to an affected device to exploit this vulnerability, the attacker may be able to convince an authenticated user to click a malicious link by using misleading language and instructions.

Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.