Cisco has warned that its software, which organisations use to manage voice over IP (VoIP) calls and messaging over their networks, is at risk from being controlled by hackers.
The networking firm, which recently uncovered spearphishing malware in Microsoft Word, said attackers could gain administrative access to its Unified Communications Domain Manager (Unified CDM) software by exploiting a default SSH private key.
"An attacker could exploit this vulnerability by obtaining the SSH private key," Cisco warned in an advisory.
"For example, the attacker might reverse engineer the binary file of the operating system. This will allow the attacker to connect by using the support account to the system without requiring any form of authentication.
"An exploit could allow the attacker to gain access to the system with the privileges of the root user."
Cisco’s Unified CDM is a service delivery and management platform that provides automation and administrative functions over the Cisco UC Manager, Cisco Unity Connection and Cisco Jabber applications, as well as the associated phones and soft clients.
Cisco said that another flaw allowed unauthenticated remote attackers to gain administrative control by tricking a valid administrator to click on web links, while a data manipulation exploit could allow an attacker to remotely tamper with user account settings, including personal phone directories and settings.
The company added that it has released free security updates to address the Unified CDM Privilege Escalation Vulnerability and Default SSH Key Vulnerability.
