Cisco Unified Call Manager Arbitrary File Retrieval Vulnerability

A vulnerability in Cisco Unified Call Manager (Cisco Unified CM) could allow an authenticated, remote attacker to retrieve arbitrary files.

The vulnerability is due to improper security restrictions by the affected application while handling requests for resources. An authenticated, remote attacker could exploit this vulnerability to retrieve arbitrary files from a targeted device. A successful exploit could be used to conduct further attacks.

Cisco has confirmed the vulnerability; however, software updates are not available.

To exploit this vulnerability, an attacker must authenticate to the targeted device. This access requirement decreases the likelihood of a successful exploit.

There are known fixed releases that mitigate this vulnerability; however, at the time this alert was first published, the known fixed releases were not available for download on the Cisco software download page.