Cisco’s security response team has confirmed real-world attacks and advises customers to take immediate action.

How the Attack Works

The issue originates in the web-based management interface, where HTTP request input is not properly validated.

Attackers can exploit this weakness by:

• Sending crafted HTTP requests to the management endpoint
• Bypassing authentication controls
• Executing commands on the operating system
• Escalating privileges to full root access

Because the flaw allows complete system takeover, Cisco classified it as Critical, prioritizing impact over traditional scoring metrics.

Impacted Cisco Products

Cisco confirmed the following products are affected, independent of configuration:

Other Cisco UC components, including Contact Center-related platforms, are confirmed not vulnerable.

Software Updates and Fix Availability

Cisco has released fixes for supported versions. Only the releases listed below are validated by Cisco PSIRT.

Unified CM, IM&P, SME, Webex Calling

Unity Connection

Cisco has observed attackers targeting unpatched deployments, likely using automated discovery techniques to locate exposed management interfaces. Environments supporting enterprise voice and collaboration services are particularly attractive targets.

The vulnerability has also been added to CISA’s Known Exploited Vulnerabilities catalog, increasing compliance pressure for affected organizations.

What Cisco Recommends

Organizations should take the following steps immediately:

• Apply Cisco security updates or upgrade to fixed releases
• Restrict access to management interfaces using network controls
• Monitor HTTP activity for abnormal request patterns
• Investigate systems for indicators of compromise

The post Cisco Unified Communications Zero-Day RCE Enables Root Access appeared first on First Hackers News.

The problems come from weaknesses in the Java Remote Method Invocation (RMI) process and the CCX Editor application, posing major risks to enterprise contact centers.

Vulnerability Details

Two critical flaws were found:

1. CVE-2025-20354 – Remote Code Execution (CVSS 9.8)
This issue affects the Java RMI process. Attackers can upload files without authentication and use them to run system commands and gain full root access.

2. CVE-2025-20358 – Authentication Bypass (CVSS 9.4)
This flaw affects the CCX Editor. Attackers can trick the system into accepting fake authentication, allowing them to create and run scripts with administrative privileges.

Impact

• All Cisco Unified CCX systems are affected, regardless of configuration.
• Packaged CCE and Unified CCE are not impacted.
• The two vulnerabilities are independent and do not need to be chained.

Patches and Recommendations

Cisco has released updates, and no workarounds exist. Organizations should apply patches immediately:

• Unified CCX 12.5: Update to 12.5 SU3 ES07 or later
• Unified CCX 15.0: Update to 15.0 ES01 or later

Systems running older versions (earlier than 12.5 SU3 or 15.0) are at high risk.

Cisco’s PSIRT reports no active attacks yet, but the ease of exploitation makes these vulnerabilities highly attractive to attackers.

• Check your current Unified CCX version and apply the required patches immediately.
• Prioritize patching any system exposed to the internet.
• Use temporary controls like network segmentation and limiting RMI access to trusted networks.

These vulnerabilities allow full system compromise, so urgent action is required to secure affected deployments.

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

The post Attackers Can Exploit Multiple Flaws in Cisco Unified CCX to Run Commands appeared first on First Hackers News.

The vulnerability exists because the appliance does not properly validate user-supplied input. As a result, even a user with the Observer role—the lowest level of access—can send crafted HTTP requests that bypass normal security checks.

Once exploited, attackers could create new accounts, modify system settings, or take over the appliance entirely.

Which Deployments Are Affected?

Cisco confirms that the issue affects only the Virtual Appliance running on VMware ESXi.
The following are not impacted:

• Catalyst Center hardware appliances
• Virtual Appliances deployed on AWS

In terms of software versions:

• Not affected: Versions earlier than 2.3.7.3-VA and version 3.1
• Affected: Versions 2.3.7.3-VA and later
• Fixed version: Upgrade to 2.3.7.10-VA or later

There are no temporary workarounds. An upgrade is the only way to eliminate the risk.

According to Cisco’s PSIRT team:

• No active exploitation has been detected
• No public reports or attacks have been observed
• The vulnerability was found internally during a TAC support case

Even though it hasn’t been exploited yet, the ease of privilege escalation makes this a high-priority issue for organizations.

Action Required

Cisco advises all customers using the affected Virtual Appliance to:

1. Review the official Cisco security advisory
2. Check the running software version
3. Immediately apply the fixed release (2.3.7.10-VA or higher)

Updating ensures the appliance cannot be compromised through this privilege escalation flaw and keeps the deployment aligned with Cisco’s security best practices.

The post Cisco Catalyst Center Bug Lets Attackers Gain Higher Access appeared first on First Hackers News.

Cisco Webex Flaw

The issue came from how the Webex client join services handled malicious HTTP requests. Security researcher Matthew B. Johnson (d3d) discovered and reported the vulnerability, known as an HTTP cache poisoning flaw.

Attackers could use this vulnerability to trick the server into caching a malicious response, which would then be served to other users. This could lead to misleading or harmful content being shown during meetings. Fortunately, Cisco has already fixed the problem on its cloud servers, so no customer action is needed.

What is HTTP Cache Poisoning?

HTTP cache poisoning happens when an attacker sends a specially crafted request to a web server. If the server caches that response, other users may receive the attacker’s modified content.

In the case of Webex, the attack exploited how the system handled unkeyed inputs in HTTP requests—parts of the request that affect the response but are not considered when caching.

Because the vulnerability didn’t require authentication and was low in complexity, it could have been used widely if not patched quickly.

Technical Details

• Type: HTTP cache poisoning (CWE-349)
• Impact: Integrity (e.g., altered content served to users)
• Attack Complexity: Low
• User Interaction: Required
• Authentication: Not needed
• Affected Product: Cisco Webex Meetings (cloud-based only)
• CVSS Score: 4.3 (Medium)

Cisco has secured its infrastructure, but administrators are encouraged to stay aware of how shared cache systems can be used in attacks like this.

Mitigation

Cisco has already fixed this vulnerability in its cloud-based Webex Meetings platform, so users don’t need to take any action. According to Cisco’s advisory, “No user action is required,” and there are no available workarounds.

Cisco’s security team also confirmed that there was no sign of the bug being exploited in the wild.

Still, organizations using Webex should make sure they’re on the latest version of the service with the patch applied.

For extra protection against similar cache poisoning issues, security experts recommend validating all user inputs (especially in HTTP headers), configuring web caches carefully, and using HTTP response headers like Vary to manage how responses are cached.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Cisco Webex Flaw Allows HTTP Response Tampering appeared first on First Hackers News.

Cisco Nexus Vulnerability

This flaw allows authenticated local attackers with administrative privileges to execute arbitrary commands on the underlying operating system with root-level access.

The vulnerability was discovered by Cisco’s Advanced Security Initiatives Group (ASIG) during internal testing, highlighting the security risks tied to software image validation in enterprise network devices.

CVE-2025-20161 exists due to improper input validation during the software upgrade process in Cisco Nexus switches.

The devices fail to properly sanitize parts of the software image, allowing attackers to embed commands that run on the operating system.

This is a classic example of OS Command Injection (CWE-78), where untrusted input gets passed to system-level commands.

Exploiting this flaw requires valid administrator credentials, so the primary risks come from insider threats or compromised admin accounts.

The vulnerability has a CVSS score of 5.1 (Medium), but command injection in core infrastructure like data center switches could enable attackers to move laterally, steal data, or disrupt critical services.

The need for administrative credentials limits the attack surface but raises concerns about insider threats and credential management.

Organizations should audit Nexus switches and monitor logs for unauthorized upgrade attempts.

The vulnerability affects all Cisco Nexus 3000 and 9000 Series Switches running standalone NX-OS. Devices in ACI mode and other Cisco products are unaffected.

Cisco has released patches and urges immediate upgrades using the Cisco Software Checker tool.

No workarounds are available, so quick action is required.

Verifying software image integrity with cryptographic hashes before installation can help prevent risks from tampered files.

Mitigations

Although CVE-2025-20161 has not been actively exploited, its potential impact requires immediate action. Network administrators should:

• Apply Cisco’s security updates using the official Software Checker portal.
• Enforce strict access controls for administrative accounts.
• Implement hash verification for all software images.

Cisco’s proactive disclosure highlights the importance of maintaining rigorous patch management practices, especially since no workarounds exist.

The post Cisco Nexus Vulnerability Allows Malicious Command Injection appeared first on First Hackers News.

CVE-2024-20418

Tracked as CVE-2024-20418, this flaw allows unauthenticated remote attackers to inject commands and execute arbitrary commands as the root user on affected devices.

The vulnerability is due to improper input validation in the web-based management interface. Exploiting it is straightforward; attackers can gain root access by sending specially crafted HTTP requests to the web interface.

Due to its high severity, this flaw has been assigned the maximum CVSS score of 10.0, highlighting its critical nature. It affects several products:

• Cisco Catalyst IW9165D Heavy-Duty Access Points
• Cisco Catalyst IW9165E Rugged Access Points and Wireless Clients
• Cisco Catalyst IW9167E Heavy-Duty Access Points

These devices are vulnerable if running an affected software version with URWB operating mode enabled.

Cisco has released patches to fix the issue, and users should update immediately as no workarounds are available.

Cisco users can check vulnerability by running the “show mpls-config” CLI command. If this command is available, the device is likely affected; if unavailable, URWB mode is disabled, and the device is safe.

Due to the risk of full system compromise, organizations with affected products should prioritize patching.

The post Cisco Vulnerability Allowed Attackers to Execute Commands as Root appeared first on First Hackers News.

The vulnerability, identified as CVE-2022-28199 (CVSS 8.6), is due to improper error handling in the network stack of DPDK, which enables a remote attacker to cause a denial-of-service (DoS) scenario and affects data integrity and confidentiality. 

Cisco Products Affected by CVE-2022-28199 

They has also fixed a flaw identified as CVE-2022-20696 (CVSS 7.5) in Cisco SD-WAN vManage Software. A vulnerability in the binding configuration of Cisco SD-WAN vManage Software containers could allow an unauthenticated, adjacent attacker who has access to the VPN0 logical network to also access the messaging service ports on an affected system.

Another fix was issued for a flaw in the messaging interface of the  Webex App. CVE-2022-20863.A vulnerability in the messaging interface of Cisco Webex App, formerly Webex Teams, could allow an unauthenticated, remote attacker to manipulate links or other content within the messaging interface.

However, Cisco explained there would be no patches for this flaw due to impacted products (RV110W, RV130, RV130W, and RV215W Routers) reaching end-of-life. The vulnerability is not critical, but it is recommended to migrate to a supported router series.

Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Cisco Released Patches for Vulnerabilities Affecting Several Products appeared first on First Hackers News.