Over the course of routine security research, Rapid7 researchers discovered that the Akkadian Provisioning Manager version 4.50.18, a provisioning solution for a Cisco Unified Communications environment, has a trio of vulnerabilities, which, when combined, can lead to remote code execution on the affected device with elevated privileges. Those issues are summarized in the table below.
CVE Identifier
CWE Identifier
CVSS score (Severity)
Remediation
CVE-2021-31579
CWE-798: Use of Hard-Coded Credentials
8.2 (High)
No update available; block access with network segmentation.
CVE-2021-31580
CWE-78: Improper Neutralization of Special Elements used in an OS Command (exec)
7.9 (High)
No update available; restrict user access.
CVE-2021-31581
CWE-269: Improper Neutralization of Special Elements used in an OS Command (vi)
7.9 (High)
No update available; restrict user access.
CVE-2021-31582
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
akkadian provisioning manager multiple vulnerabilities disclosure
