CVE-2017-3828 Cisco CVE debrief

Who should care

Cisco Unified Communications Manager Switches administrators, UC platform security teams, and anyone responsible for the web-based management interface on affected devices. Organizations running the affected releases should treat this as a patching and access-control priority for administrative interfaces.

Technical summary

The official NVD record describes an XSS weakness in the web-based management interface of Cisco Unified Communications Manager Switches. The CVSS 3.0 vector is AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network reachability, no privileges required, and a user interaction requirement. NVD maps the issue to CWE-79. The source corpus identifies affected releases 11.0(1.10000.10) and 11.5(1.10000.6), and Cisco-referenced fixed releases include 11.0(1.23063.1), 11.5(1.12029.1), 11.5(1.12900.11), 11.5(1.12900.21), 11.6(1.10000.4), and multiple 12.0 builds.

Defensive priority

Medium

Recommended defensive actions

• Upgrade affected Cisco Unified Communications Manager Switches to a Cisco-fixed release listed in the advisory references.
• Restrict access to the web-based management interface to trusted administrative networks or VPN paths.
• Ensure the management interface is not exposed broadly on untrusted networks, especially internet-facing segments.
• Review administrative workflows and user training for the web UI, since the CVSS vector requires user interaction.
• After remediation, verify the running firmware/software version matches a fixed release and continue monitoring the management interface for abnormal behavior.

Evidence notes

This debrief is based only on the supplied official CVE/NVD corpus and the Cisco advisory reference included there. The NVD record provides the CVSS 3.0 vector, CWE-79 classification, affected versions, and vendor-linked references. The CVE publication date is 2017-02-22; the later NVD modified timestamp of 2026-05-13 reflects record maintenance, not the original disclosure date.

Official resources