Security News > 2024 > January > Critical Cisco Unity Connection flaw gives attackers root privileges. Patch now! (CVE-2024-20272)

Cisco has fixed a critical vulnerability in Cisco Unity Connection that could allow an unauthenticated attacker to upload arbitrary files and gain root privilege on the affected system.
Cisco Unity Connection is a unified messaging and voicemail solution for email inbox, web browser, Cisco Jabber, Cisco Unified IP Phone, smartphone, and tablet.
CVE-2024-20272 is an unauthenticated arbitrary file upload vulnerability in the web-based management interface of Cisco Unity Connection that could be exploited by a remote, unauthenticated threat actor to upload arbitrary files to a targeted system, execute commands on the underlying operating system and gain root privileges.
CVE-2024-20272, reported by software development consultant Maxim Suslov, affects Cisco Unity Connection software releases 12.5 and 14 - but not version 15.
Vulnerabilities in Cisco solutions are often leveraged by attackers.
Last September, Cisco "Hotfixed" a vulnerability in Cisco Adaptive Security Appliance and Cisco Firepower Threat Defense firewalls that was being exploited in the wild.
News URL
https://www.helpnetsecurity.com/2024/01/11/cve-2024-20272/
Related news
- Cisco Patches Critical ISE Vulnerabilities Enabling Root CmdExec and PrivEsc (source)
- Critical Cisco ISE bug can let attackers run commands as root (source)
- Netgear warns users to patch critical WiFi router vulnerabilities (source)
- Choose your own Patch Tuesday adventure: Start with six zero day fixes, or six critical flaws (source)
- Critical Veeam Backup & Replication RCE vulnerability fixed, patch ASAP! (CVE-2025-23120) (source)
- Critical Cisco Smart Licensing Utility flaws now exploited in attacks (source)
- Ongoing Cyber Attacks Exploit Critical Vulnerabilities in Cisco Smart Licensing Utility (source)
- CrushFTP: Patch critical vulnerability ASAP! (CVE-2025-2825) (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2024-01-17 | CVE-2024-20272 | Unspecified vulnerability in Cisco Unity Connection A vulnerability in the web-based management interface of Cisco Unity Connection could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system and execute commands on the underlying operating system. | 9.8 |