The AVOXI Blog:
The Most Educational VOIP Call Center Software and Business Phone System Blog in the World!

Cisco Call Manager Vulnerability

Cisco Unified Communications Manager, developed by Cisco Systems, is vulnerable to PIN brute force attacks.

Roberto Suggi, founder of Open Web Application Security Project, discovered a security break in Cisco Call Manager: there is a way to perform PIN brute force attacks against registered accounts.

How can it be possible?

When the hard-phone performs an HTTP request to the Cisco Call Manager, some URL’s are set to allow the device to retrieve personal addresses, book details, or fast dials.

An “HTTP GET” request is started by the hard-phone to initiate the login sequence with the request as follows: GET – https://192.1.225/ccmpd/

The response contains a reference to the page, along with a “sid” token, which is used in the subsequent requests.


The “sid” token is required to perform the PIN brute force attack.  The response provides some clues on which parameters to include in the login request, such as “userID” and “PIN”.

The following GET request can then be used to perform the PIN brute force attack: GET – value & userir &spin=  PIN

At this point, it is possible to perform the PIN brute force attacks, as a valid SID token needs to be passed when authenticating the user.

In the case that the “userID/PIN” is invalid, the following response is returned to the hacker:


It seems impossible to perform “userID” enumeration, but in this case the hacker would use a large username dictionary file and then try against the same PIN (i.e. 1234, 12345).

This can be easily done using a tool named “Burp” on the intruder tab:

In the case that the “userID/PIN” is invalid, the following response is returned to the hacker:


If the correct “userID/PIN” is found, the response will contain the links for each service:



As we see above, the sequence of requests can be trivially automated with a web proxy (Burp) by setting a macro:

Web Proxy

Another brute force program is available on the internet (HYDRA) which is capable of performing brute force HTTP web requests, and retrieving the hard-phone credentials as explained above.

Cisco released its semiannual Cisco IOS Software Security Advisory Bundled Publication on September 26, 2012, about a week before these vulnerabilities were discovered. This publication included eight Security Advisories that all address vulnerabilities in Cisco IOS Software, and one advisory addressed a vulnerability in Cisco Unified Communications Manager.

To date, there has not been a press release or patch from Cisco regarding how to address the PIN brute force attacks.


David Wise

David Wise

Chief Executive Officer, Founder at AVOXI
David has more than 18 years of management experience in the telecommunications industry. A graduate of the Citadel, David worked as a Senior Account Executive with Intermedia Communications and later co-founded Rapid Link, a leading provider of International callback and VoIP. David then founded AVOXI in 2001with a focus on providing niche international call center markets with customized voice and data services. read more
David Wise
David Wise

Submit a Comment

Your email address will not be published. Required fields are marked *

Share This