Security News > 2024 > January > Critical Cisco Unity Connection flaw gives attackers root privileges. Patch now! (CVE-2024-20272)
Cisco has fixed a critical vulnerability in Cisco Unity Connection that could allow an unauthenticated attacker to upload arbitrary files and gain root privilege on the affected system.
Cisco Unity Connection is a unified messaging and voicemail solution for email inbox, web browser, Cisco Jabber, Cisco Unified IP Phone, smartphone, and tablet.
CVE-2024-20272 is an unauthenticated arbitrary file upload vulnerability in the web-based management interface of Cisco Unity Connection that could be exploited by a remote, unauthenticated threat actor to upload arbitrary files to a targeted system, execute commands on the underlying operating system and gain root privileges.
CVE-2024-20272, reported by software development consultant Maxim Suslov, affects Cisco Unity Connection software releases 12.5 and 14 - but not version 15.
Vulnerabilities in Cisco solutions are often leveraged by attackers.
Last September, Cisco "Hotfixed" a vulnerability in Cisco Adaptive Security Appliance and Cisco Firepower Threat Defense firewalls that was being exploited in the wild.
News URL
https://www.helpnetsecurity.com/2024/01/11/cve-2024-20272/
Related news
- Cisco Releases Patch for Critical URWB Vulnerability in Industrial Wireless Systems (source)
- Patch now: Critical Nvidia bug allows container escape, complete host takeover (source)
- Progress urges admins to patch critical WhatsUp Gold bugs ASAP (source)
- Week in review: Critical Zimbra RCE vulnerability exploited, Patch Tuesday forecast (source)
- Qualcomm Urges OEMs to Patch Critical DSP and WLAN Flaws Amid Active Exploits (source)
- CISA Warns of Critical Fortinet Flaw as Palo Alto and Cisco Issue Urgent Security Patches (source)
- Critical Kubernetes Image Builder flaw gives SSH root access to VMs (source)
- Critical default credential in Kubernetes Image Builder allows SSH root access (source)
- Critical Kubernetes Image Builder Vulnerability Exposes Nodes to Root Access Risk (source)
- VMware fixes bad patch for critical vCenter Server RCE flaw (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-01-17 | CVE-2024-20272 | Unspecified vulnerability in Cisco Unity Connection A vulnerability in the web-based management interface of Cisco Unity Connection could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system and execute commands on the underlying operating system. | 9.8 |