CVE-2022-20859

MEDIUM

Cisco Unified Communications Manager 14.0-14.0su2 - Improper Access Control via Disaster Recovery Framework

Title source: llm

Description

A vulnerability in the Disaster Recovery framework of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), and Cisco Unity Connection could allow an authenticated, remote attacker to perform certain administrative actions they should not be able to. This vulnerability is due to insufficient access control checks on the affected device. An attacker with read-only privileges could exploit this vulnerability by executing a specific vulnerable command on an affected device. A successful exploit could allow the attacker to perform a set of administrative actions they should not be able to.

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory x_refsource_cisco

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucm-access-dMKvV2DY

Scores

CVSS v3 6.5

EPSS 0.0164

EPSS Percentile 82.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-284

Status published

Products (3)

cisco/unified_communications_manager 14.0 - 14su2

cisco/unified_communications_manager_im_and_presence_service 14.0 - 14.0su2

cisco/unity_connection 14.0 - 14su2

Published Jul 06, 2022

Tracked Since Feb 18, 2026