Cisco has patched a critical Unity Connection security flaw that can let unauthenticated attackers remotely gain root privileges on unpatched devices.
Unity Connection is a fully virtualized messaging and voicemail solution for email inboxes, web browsers, Cisco Jabber, Cisco Unified IP Phone, smartphones, or tablets with high availability and redundancy support.
The vulnerability (CVE-2024-20272) was found in the software's web-based management interface, and it allows attackers to execute commands on the underlying operating system by uploading arbitrary files to targeted and vulnerable systems.
"This vulnerability is due to a lack of authentication in a specific API and improper validation of user-supplied data. An attacker could exploit this vulnerability by uploading arbitrary files to an affected system," Cisco explains.
"A successful exploit could allow the attacker to store malicious files on the system, execute arbitrary commands on the operating system, and elevate privileges to root."
Luckily, Cisco's Product Security Incident Response Team (PSIRT) said the company has no evidence of public proof of concept exploits for this vulnerability or active exploitation in the wild.
Cisco Unity Connection Release
First Fixed Release
12.5 and earlier
12.5.1.19017-4
14
14.0.1.14006-5
15
Not vulnerable
Command injection flaw with PoC exploit
Today, Cisco also patched ten medium-severity security vulnerabilities in multiple products, allowing attackers to escalate privileges, launch cross-site scripting (XSS) attacks, inject commands, and more.
The company says that proof-of-concept exploit code is available online for one of these flaws, a command injection vulnerability tracked as CVE-2024-20287 in the web-based management ..
Support the originator by clicking the read the rest link below.
