Cisco Unified Communications Manager contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary commands in a database underlying the affected application.
The vulnerability is due to improper sanitization of input in device registration requests. An unauthenticated, remote attacker could exploit this vulnerability by sending malicious requests to the targeted system. If successful, the attacker could modify application database contents.
Cisco has confirmed the vulnerability in a security advisory and released software updates.
To exploit the vulnerability, an attacker must be able to send device registration requests over the network to the targeted system. This action would likely require that an attacker have internal network access to conduct an exploit. Most sites restrict external access to affected systems The access requirement reduces the potential for attack.
Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.