Cisco has patched Unity Connection with software upgrades to fix a serious security vulnerability that might allow an attacker to run arbitrary instructions on the underlying system. The vulnerability, identified as CVE-2024-20272 (CVSS score: 7.3), is an arbitrary file upload flaw that exists in the web-based administration interface. It is caused by incorrect user-supplied data validation and a lack of authentication in a particular API.
In a warning published on Wednesday, Cisco stated that "an attacker could exploit this vulnerability by uploading arbitrary files to an affected system." "A successful exploit could allow the attacker to store malicious files on the system, execute arbitrary commands on the operating system, and elevate privileges to root."
The following Cisco Unity Connection versions are affected by the bug. Version 15 is not susceptible.
- 12.5 and preceding (Repaired in 126.96.36.19917-4
- 14 (Corrected in 188.8.131.5206-5 version)
Maxim Suslov, a security researcher, is recognized for having found and reported the vulnerability. Although Cisco does not mention the flaw being exploited in the wild, customers are encouraged to update to a corrected version to reduce potential risks.
Cisco has released patches to address 11 medium-severity vulnerabilities in its software, including Identity Services Engine, WAP371 Wireless Access Point, ThousandEyes Enterprise Agent, and TelePresence Management Suite (TMS), in addition to the fix for CVE-2024-20272.
However, Cisco has stated that the device has reached end-of-life (EOL) as of June 2019 and that it does not plan to issue a fix for the command injection bug in WAP371 (CVE-2024-20287, CVSS score: 6.5). Rather, it suggests that users switch to the Cisco Business 240AC Access Point.