Security Affairs
TuxBot v3: The IoT Botnet Built With AI – Bugs, Disclaimers and All|Claude Code and DeepSeek Powered Chinese Cyber Espionage Campaign|Zoom Fixes CVE-2026-53412, a Critical Account Takeover Bug|US and allied Governments’ Recommendations: Securing Network Devices Against Russian APT Groups|Chaotic Eclipse Unveils LegacyHive Exploit Affecting Fully Patched Windows Systems|AsyncAPI npm Supply Chain Attack: Malware Injected Into Packages With 2 Million Weekly Downloads|U.S. CISA adds SonicWall and Microsoft flaws to its Known Exploited Vulnerabilities catalog|SonicWall warns of active exploitation of two SMA 1000 zero-days|Patch Tuesday security updates for July 2026, the largest update ever. 621 CVEs in one month|U.S. Treasury Sanctions VPN Provider and Cryptor Seller Behind Billions in Ransomware Losses|Attacker Used AI to Build Custom PowerShell Recon Malware|Malware Hits Japan’s Largest Taxi Company Nihon Kotsu, Services Temporarily Suspended|TuxBot v3: The IoT Botnet Built With AI – Bugs, Disclaimers and All|Claude Code and DeepSeek Powered Chinese Cyber Espionage Campaign|Zoom Fixes CVE-2026-53412, a Critical Account Takeover Bug|US and allied Governments’ Recommendations: Securing Network Devices Against Russian APT Groups|Chaotic Eclipse Unveils LegacyHive Exploit Affecting Fully Patched Windows Systems|AsyncAPI npm Supply Chain Attack: Malware Injected Into Packages With 2 Million Weekly Downloads|U.S. CISA adds SonicWall and Microsoft flaws to its Known Exploited Vulnerabilities catalog|SonicWall warns of active exploitation of two SMA 1000 zero-days|Patch Tuesday security updates for July 2026, the largest update ever. 621 CVEs in one month|U.S. Treasury Sanctions VPN Provider and Cryptor Seller Behind Billions in Ransomware Losses|Attacker Used AI to Build Custom PowerShell Recon Malware|Malware Hits Japan’s Largest Taxi Company Nihon Kotsu, Services Temporarily Suspended|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Cisco fixes SQL Injection flaw in Unified CM

A high-severity flaw (CVE-2023-20010) was found in Cisco Unified Communications Manager and Unified Communications Manager Session Management Edition. Cisco fixed a high-severity SQL injection flaw, tracked as CVE-2023-20010 (CVSS score of 8.1), in Unified Communications Manager and Unified Communications Manager Session Management Edition. Unified Communications Manager solutions provide reliable, secure, scalable, and manageable call control […]

Cisco Catalyst

A high-severity flaw (CVE-2023-20010) was found in Cisco Unified Communications Manager and Unified Communications Manager Session Management Edition.

Cisco fixed a high-severity SQL injection flaw, tracked as CVE-2023-20010 (CVSS score of 8.1), in Unified Communications Manager and Unified Communications Manager Session Management Edition.

Unified Communications Manager solutions provide reliable, secure, scalable, and manageable call control and session management. Cisco Unified (CM) supports industry standards, a wide range of gateways, and a broad ecosystem of third-party integrations and solutions plus partners. 

The vulnerability CVE-2023-20010 resides in the web-based management interface of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME), an authenticated, remote attacker can trigger it to conduct SQL injection attacks on a vulnerable system.

“This vulnerability exists because the web-based management interface inadequately validates user input. An attacker could exploit this vulnerability by authenticating to the application as a low-privileged user and sending crafted SQL queries to an affected system.” reads the advisory published by the IT giant. “A successful exploit could allow the attacker to read or modify any data on the underlying database or elevate their privileges.”

The flaw impacts Cisco Unified CM and Unified CM SME versions 11.5(1), 12.5(1), and 14. The company advises customers to upgrade to an appropriate fixed software release as reported in the following table:

Cisco Unified CM and Unified CM SME ReleaseFirst Fixed Release
11.5(1)Migrate to a fixed release.
12.5(1)12.5(1)SU7
1414SU3 (Mar 2023)

The company states that are no workarounds to address this vulnerability.

The flaw was discovered by Jason Crowder of the Cisco Advanced Security Initiatives Group (ASIG) and Skay@360 Noah-Lab.

The Cisco PSIRT is not aware of attacks in the wild exploiting this vulnerability.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2023-20010)

[adrotate banner=”5″]

[adrotate banner=”13″]