A "highly critical" vulnerability in Cisco's flagship Collaboration Server could put users at risk of malicious code execution, the company said in an advisory.

Cisco, which dominates the market for switching and routing equipment used to link networks, said the vulnerability was found in versions of its Cisco Collaboration Server (CCS) that ship with the ServletExec subcomponent.


"Unauthorized users can upload any file and gain administrative privileges," Cisco warned in the advisory posted online.

The vulnerability affects CCS (prior to 5.0) using a ServletExec version prior to 3.0E. Independent research firm Secunia has tagged the flaw with a "highly critical" rating because it can be exploited to gain system access from remote locations.

Users of Cisco Collaboration Server 4.x can apply a fix using an automated script (available here). Detailed workarounds and patching instructions have been posted online.

The Cisco Collaboration Server is used mostly in e-commerce settings to provide electronic CRM services. It enables "click-for-help" buttons on Web sites to let businesses interact with customers by voice (PSTN or VoIP) or via text chat.

The CCS can also be used to handle online collaboration features like two-way Web-page sharing, Follow-Me browsing, form sharing and real-time application sharing.