Cisco Unified Communications Domain Manager Blind Command Injection Vulnerability

A vulnerability in the web framework of Cisco Unified Communications Domain Manager Application Software version 8 could allow an authenticated, remote attacker to inject commands that can be executed by the underlying operating system with the privileges of the web server process.

The vulnerability is due to insufficient input validation when the user sets some values in the user interface. An attacker could exploit this vulnerability by logging in to the system and injecting malicious commands. An exploit could allow the attacker to execute commands remotely with the privileges of the web server process. Administrative credentials are needed to exploit this issue.

Cisco has confirmed the vulnerability in a security notice and released software updates.

Administrator credentials are required to exploit this vulnerability. In addition; the attacker may need access to trusted or internal networks to inject malicious commands on the targeted system. This access requirement could limit the likelihood of a successful exploit.

Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.