A vulnerability in the Extensible Messaging and Presence Protocol (XMPP) in the Cisco Finesse Desktop and Cisco Unified Contact Center Express applications could allow an unauthenticated, remote attacker to log in to the device with a default account with a static password. This account provides nonadministrative access to the Openfire server bundled with the application.
The vulnerability occurs because a default user account is created at installation and the account password cannot be changed. An attacker could exploit this vulnerability by logging in using XMPP to access the Openfire server using the default account. The attacker could log in using the default account and gain unauthorized access to the Openfire server, which allows sensitive data to be viewed and modified.
Cisco has released software updates that address this vulnerability. Workarounds that address this vulnerability are not available.
This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160202-fducce