Researchers at SEC Consult, a cybersecurity consulting firm, have discovered two vulnerabilities in Atos Unify products that could potentially allow attackers to disrupt systems and gain unauthorized access. These vulnerabilities affect the Atos Unify Session Border Controller (SBC), the Unify OpenScape Branch product, and Border Control Function (BCF).

One of the vulnerabilities, identified as CVE-2023-36618, allows an authenticated attacker with low privileges to execute arbitrary PHP functions and operating system commands with root privileges through the affected products’ web interface. The second vulnerability, CVE-2023-36619, can be exploited by an unauthenticated attacker to access and execute certain scripts, potentially leading to a denial-of-service condition or system configuration changes.

While SEC Consult considers these vulnerabilities to have a critical impact, Atos has assigned them a ‘high severity’ rating based on the CVSS score. According to Johannes Greil, the head of SEC Consult Vulnerability Lab, attackers could gain full control over the system and modify its configuration if they have knowledge of low-privileged user credentials.

Notably, the affected web interface is typically not exposed to the internet, and no reachable systems were identified through a brief Shodan analysis. Atos has released patches to address these vulnerabilities and has provided workarounds to mitigate the risk of exploitation.

SEC Consult has published a technical advisory on these vulnerabilities, although proof-of-concept exploit code has not been made public.


Full Stack Developer

About the Author

I’m passionate about web development and design in all its forms, helping small businesses build and improve their online presence. I spend a lot of time learning new techniques and actively helping other people learn web development through a variety of help groups and writing tutorials for my blog about advancements in web design and development.

View Articles