CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:N/I:N/A:C
EPSS
Percentile
84.0%
A vulnerability in the Session Initiation Protocol (SIP) subsystem of Cisco Unified Communications Manager (Cisco Unified CM) could allow an authenticated, remote attacker to trigger a denial of service condition.
The vulnerability is due to a failure by the SIP subsystem to properly sanitize Extensible Markup Language (XML) prior to passing it to the XML processing engine. An attacker could exploit this vulnerability by submitting a crafted SIP message from a registered endpoint to an affected Cisco Unified CM. Successful exploitation could allow the attacker to cause a process crash that results in a denial of service condition.
Cisco has confirmed the vulnerability in a security notice and released software updates.
To exploit this vulnerability, an attacker must authenticate to the targeted system or to a registered endpoint to a targeted system. This access requirement may reduce the likelihood of a successful exploit.
Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.
Vendor | Product | Version | CPE |
---|---|---|---|
cisco | unified_communications_manager | any | cpe:2.3:a:cisco:unified_communications_manager:any:*:*:*:*:*:*:* |