Cyber Resilience

CVE-2021-1406

Medium

Published: 08 April 2021

Published
08 April 2021
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0018 40.0th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-1406 is a medium-severity Insertion of Sensitive Information into Externally-Accessible File or Directory (CWE-538) vulnerability in Cisco Unified Communications Manager. Its CVSS base score is 4.9 (Medium).

Operationally, ranked at the 40.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an authenticated, remote attacker to access sensitive information on an affected device. The vulnerability is due to improper…

more

inclusion of sensitive information in downloadable files. An attacker could exploit this vulnerability by authenticating to an affected device and issuing a specific set of commands. A successful exploit could allow the attacker to obtain hashed credentials of system users. To exploit this vulnerability an attacker would need to have valid user credentials with elevated privileges.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

cisco
unified communications manager
10.5\(2\), 10.5\(2\)su1, 10.5\(2\)su10, 10.5\(2\)su2, 10.5\(2\)su2a

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-200 CWE-538

Review and removal of nonpublic information from publicly accessible systems directly prevents exposure of sensitive data to unauthorized actors.

addresses: CWE-200 CWE-538

Monitoring directly detects unauthorized disclosure of sensitive information, enabling response to exposures.

addresses: CWE-200 CWE-538

A data action map identifies locations where sensitive information may be exposed to unauthorized actors during processing or transfer.

addresses: CWE-200 CWE-538

The control's identification, isolation, alerting, and eradication steps directly limit the impact and exploitation window of unauthorized sensitive information exposure.

addresses: CWE-200 CWE-538

Categorization identifies sensitive data so that confidentiality protections commensurate with impact level are selected and documented.

addresses: CWE-200 CWE-538

The assessment process surfaces design decisions that could expose sensitive (including PII) data to unauthorized actors, prompting controls that reduce such exposure.

addresses: CWE-200 CWE-538

Tainting directly detects exfiltration resulting from exposure of sensitive information to unauthorized actors.

addresses: CWE-200 CWE-538

OPSEC controls directly protect supply chain information from unauthorized observation or disclosure.

References