Cyber Resilience

CVE-2022-20658

Critical

Published: 14 January 2022

Published
14 January 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
EPSS Score 0.0026 50.2th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-20658 is a critical-severity Client-Side Enforcement of Server-Side Security (CWE-602) vulnerability in Cisco Unified Contact Center Express. Its CVSS base score is 9.6 (Critical).

Operationally, ranked in the top 49.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

A vulnerability in the web-based management interface of Cisco Unified Contact Center Management Portal (Unified CCMP) and Cisco Unified Contact Center Domain Manager (Unified CCDM) could allow an authenticated, remote attacker to elevate their privileges to Administrator. This vulnerability is…

more

due to the lack of server-side validation of user permissions. An attacker could exploit this vulnerability by submitting a crafted HTTP request to a vulnerable system. A successful exploit could allow the attacker to create Administrator accounts. With these accounts, the attacker could access and modify telephony and user resources across all the Unified platforms that are associated to the vulnerable Cisco Unified CCMP. To successfully exploit this vulnerability, an attacker would need valid Advanced User credentials.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

cisco
unified contact center express
12.0.1, 12.5.1
cisco
unified contact center management portal
≤ 11.6.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-669

Enforces proper authorization rules for any resource or data transfer between different spheres.

addresses: CWE-669

Accountability, documentation, and protection requirements ensure correct transfer of media resources between spheres.

addresses: CWE-669

Reduces incorrect transfers between spheres by establishing clear, separate domains for different sensitivities or functions.

addresses: CWE-669

It governs all resource transfers between spheres, preventing incorrect or unauthorized movement of data or capabilities across domain interfaces.

addresses: CWE-669

Addresses incorrect transfer of resources to an uncontrolled sphere by requiring approved destruction or sanitization methods.

References