Cisco has made a public announcement that they have discovered a zero-day vulnerability in their Prime Collaboration Deployment (PCD) software.

The PCD software is a Server Management Tool that allows performing migration or upgrade tasks on servers within the organization’s inventory.

The vulnerability, identified as CVE-2023-20060, was discovered by Pierre Vivegnis of the NATO Cyber Security Centre (NCSC) in the web-based management interface of Cisco PCD 14 and earlier versions.

The flaw can be exploited by attackers for cross-site scripting attacks, which can be executed remotely without authentication. However, successful exploitation of this bug requires user interaction.

The vulnerability is caused by the web-based management interface not properly validating user input. This can be exploited by tricking a user to clicking on a specially crafted link.

The attacker can then execute arbitrary script code and access sensitive, browser-based information. Unfortunately, at this time, no workarounds are available to eliminate this attack vector.

The good news is that the Cisco Product Security Incident Response Team (PSIRT) has not detected any evidence of malicious activity in the wild, nor are they aware of any public exploit code targeting this bug.

Zero-day IP Phone Vulnerability Still Awaiting Patch

Cisco is also grappling with another high-severity IP Phone zero-day. The vulnerability is tracked as CVE-2022-20968 and was publicly disclosed in early December 2023.

Although the company promised to release security updates in January 2023, the bug still remains unpatched several months after its initial disclosure.

The Cisco IP phones running 7800 and 8800 Series firmware version 14.2 and earlier are affected by CVE-2022-20968. While the company has not provided any workarounds for this IP Phone zero-day, it has advised administrators to apply temporary mitigation measures by disabling the Cisco Discovery Protocol on affected devices that support Link Layer Discovery Protocol (LLDP).