Security News > 2024 > January > Critical Cisco Unity Connection flaw gives attackers root privileges. Patch now! (CVE-2024-20272)
![Critical Cisco Unity Connection flaw gives attackers root privileges. Patch now! (CVE-2024-20272)](/static/build/img/news/critical-cisco-unity-connection-flaw-gives-attackers-root-privileges-patch-now-cve-2024-20272-medium.jpg)
Cisco has fixed a critical vulnerability in Cisco Unity Connection that could allow an unauthenticated attacker to upload arbitrary files and gain root privilege on the affected system.
Cisco Unity Connection is a unified messaging and voicemail solution for email inbox, web browser, Cisco Jabber, Cisco Unified IP Phone, smartphone, and tablet.
CVE-2024-20272 is an unauthenticated arbitrary file upload vulnerability in the web-based management interface of Cisco Unity Connection that could be exploited by a remote, unauthenticated threat actor to upload arbitrary files to a targeted system, execute commands on the underlying operating system and gain root privileges.
CVE-2024-20272, reported by software development consultant Maxim Suslov, affects Cisco Unity Connection software releases 12.5 and 14 - but not version 15.
Vulnerabilities in Cisco solutions are often leveraged by attackers.
Last September, Cisco "Hotfixed" a vulnerability in Cisco Adaptive Security Appliance and Cisco Firepower Threat Defense firewalls that was being exploited in the wild.
News URL
https://www.helpnetsecurity.com/2024/01/11/cve-2024-20272/
Related news
- Critical Cisco bug lets hackers add root users on SEG devices (source)
- Exploit for critical Progress Telerik auth bypass released, patch now (source)
- Exploit for critical Veeam auth bypass available, patch now (source)
- VMware fixes critical vCenter RCE vulnerability, patch now (source)
- GitLab Releases Patch for Critical CI/CD Pipeline Vulnerability and 13 Others (source)
- Critical Windows licensing bugs, plus two others under attack, top Patch Tuesday (source)
- Critical Apache HugeGraph Vulnerability Under Attack - Patch ASAP (source)
- Cisco Warns of Critical Flaw Affecting On-Prem Smart Software Manager (source)
- Cisco fixes critical flaws in Secure Email Gateway and SSM On-Prem (CVE-2024-20401, CVE-2024-20419) (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2024-01-17 | CVE-2024-20272 | Unspecified vulnerability in Cisco Unity Connection A vulnerability in the web-based management interface of Cisco Unity Connection could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system and execute commands on the underlying operating system. | 9.8 |