Cisco has released a software update to address a critical security vulnerability affecting Unity Connection that could allow an attacker to execute arbitrary commands on the underlying system.
Tracked as CVE-2024-20272 (CVSS score: 7.3), the vulnerability is an arbitrary file upload error in the web-based management interface and is caused by a lack of authentication in a specific API and improper validation of user-supplied data.
“An attacker could exploit this vulnerability by uploading arbitrary files to an affected system,” Cisco said in an advisory published Wednesday. “A successful exploit could allow the attacker to store malicious files on the system, on the operating system Execute arbitrary commands and escalate privileges to root.”
This flaw affects the following versions of Cisco Unity Connection. Version 15 is less vulnerable.
- 12.5 and earlier (fixed in version 12.5.1.19017-4)
- 14 (Fixed in version 14.0.1.14006-5)
Security researcher Maxim Suslov is credited with discovering and reporting the vulnerability. Cisco did not mention that the vulnerability was being widely exploited, but recommended that users update to a fixed version to mitigate potential threats.
In addition to the CVE-2024-20272 patch, Cisco has released updates to address 11 moderate-severity vulnerabilities in its software, including the Identity Services Engine, WAP371 Wireless Access Point, ThousandEyes Enterprise Agent, and TelePresence Management Suite (TMS) ).
However, Cisco noted that it does not plan to release a fix for a command injection bug in WAP371 (CVE-2024-20287, CVSS score: 6.5) and said the device has reached end-of-life (EoL). June 2019. Instead, it recommends customers migrate to Cisco Business 240AC access points.
