Priya PatelTLDR:
- Critical Cisco Unity Connection flaw allows attackers to run commands as root user
- Vulnerability allows remote, unauthenticated attackers to upload arbitrary files and execute commands on the underlying operating system
A critical vulnerability has been discovered in Cisco Unity Connection’s web-based management interface, which could allow remote, unauthenticated attackers to upload arbitrary files to a compromised system and run commands on the underlying operating system. This flaw poses a severe threat to the security of the system. Cisco Unity Connection is a unified messaging and voicemail solution that offers various message access options to enhance collaboration.
The vulnerability, tracked as CVE-2024-20272, has a CVSS score of 7.3, indicating its severity. The lack of authentication in a specific API and the improper validation of user-supplied data are the main causes of the vulnerability. Attackers can exploit this flaw by uploading arbitrary files to the system. If successful, they can run arbitrary operating system commands, store malicious files, and gain root access. Cisco has released software upgrades to address this critical vulnerability.
It is important for users to upgrade to the latest version of Cisco Unity Connection in order to prevent this vulnerability from being exploited. Cisco has provided free software upgrades for affected products. The impacted versions and their corresponding fixed releases are as follows:
- 12.5 and earlier: Release 12.5.1.19017-4
- 14: Release 14.0.1.14006-5
- 15: Not vulnerable
Currently, there are no known cases of malicious use or public announcements about this specific vulnerability. However, it is crucial for users to take proactive steps to ensure the security of their systems.
