Critical Cisco Contact Center Bug Threatens Customer-Service Havoc

Attackers could access and modify agent resources, telephone queues and other customer-service systems – and access personal information on companies’ customers.

A critical security bug affecting Cisco’s Unified Contact Center Enterprise (UCCE) portfolio could allow privilege-escalation and platform takeover.

Cisco UCCE is an on-premises customer-service platform capable of supporting up to 24,000 customer-service agents using channels that include inbound voice, outbound voice, outbound interactive voice response (IVR) and digital channels. It also offers a feedback loop via post-call IVR, email and web intercept surveys; and various reporting options to gather information on agent performance to use in establishing metrics and informing business intelligence.

It counts some heavy hitters among its users, including T-Mobile USA, according to the product website.

The bug in question (CVE-2022-20658) is a particularly nasty one, with a critical rating of 9.6 out of 10 on the CVSS vulnerability-severity scale, and could allow authenticated, remote attackers to elevate their privileges to administrator, with the ability to create other administrator accounts.

It specifically exists in the web-based management interface of Cisco Unified Contact Center Management Portal (Unified CCMP) and Cisco Unified Contact Center Domain Manager (Unified CCDM) and stems from the fact that the server

Read More: https://threatpost.com/critical-cisco-contact-center-bug/177681/