cbcvebase.
CVE-2018-15381
published 2018-11-08

CVE-2018-15381: A Java deserialization vulnerability in Cisco Unity Express (CUE) could allow an unauthenticated, remote attacker to execute arbitrary shell commands with the…

PriorityP181critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
87.25%
99.7th percentile
A Java deserialization vulnerability in Cisco Unity Express (CUE) could allow an unauthenticated, remote attacker to execute arbitrary shell commands with the privileges of the root user. The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit this vulnerability by sending a malicious serialized Java object to the listening Java Remote Method Invocation (RMI) service. A successful exploit could allow the attacker to execute arbitrary commands on the device with root privileges.

Affected

3 ranges
VendorProductVersion rangeFixed in
ciscocisco_unity_express
ciscounity_express< 9.0.69.0.6
ciscounity_express

Detection & IOCsextracted from sources · hover to see the quote

  • Exploit vector is a malicious serialized Java object sent to the Java RMI service; monitor for unexpected or malformed RMI traffic targeting Cisco Unity Express devices
  • Successful exploitation results in arbitrary shell commands executed with root privileges; monitor for unexpected root-level process spawning on Cisco Unity Express devices
  • The attack is unauthenticated and remote; no credentials are required, so any inbound RMI connection from an untrusted source to a CUE device should be treated as suspicious
  • ·No workarounds are available for this vulnerability; the only remediation is applying Cisco's software updates
  • ·Cisco Bug IDs associated with this vulnerability are CSCvm02856; use these to track patch status in Cisco's advisory portal

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_cisco9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.