CVE-2023-20259

HIGH

Cisco Unified Communications Products - DoS

Title source: llm

Description

A vulnerability in an API endpoint of multiple Cisco Unified Communications Products could allow an unauthenticated, remote attacker to cause high CPU utilization, which could impact access to the web-based management interface and cause delays with call processing. This API is not used for device management and is unlikely to be used in normal operations of the device. This vulnerability is due to improper API authentication and incomplete validation of the API request. An attacker could exploit this vulnerability by sending a crafted HTTP request to a specific API on the device. A successful exploit could allow the attacker to cause a denial of service (DoS) condition due to high CPU utilization, which could negatively impact user traffic and management access. When the attack stops, the device will recover without manual intervention.

References (1)

Core 1

Core References

Vendor Advisory

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-apidos-PGsDcdNF

Scores

CVSS v3 8.6

EPSS 0.0014

EPSS Percentile 34.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Details

CWE

CWE-400

Status published

Products (7)

cisco/emergency_responder 14su3

cisco/prime_collaboration_deployment 14su3

cisco/unified_communications_manager 12.5\(1\)su7 (2 CPE variants)

cisco/unified_communications_manager 14su3 (2 CPE variants)

cisco/unified_communications_manager_im_\&_presence_service 12.5\(1\)su7

cisco/unified_communications_manager_im_\&_presence_service 14su3

cisco/unity_connection 14su3

Published Oct 04, 2023

Tracked Since Feb 18, 2026