Security News > 2024 > January > Critical Cisco Unity Connection flaw gives attackers root privileges. Patch now! (CVE-2024-20272)

Critical Cisco Unity Connection flaw gives attackers root privileges. Patch now! (CVE-2024-20272)
2024-01-11 11:56

Cisco has fixed a critical vulnerability in Cisco Unity Connection that could allow an unauthenticated attacker to upload arbitrary files and gain root privilege on the affected system.

Cisco Unity Connection is a unified messaging and voicemail solution for email inbox, web browser, Cisco Jabber, Cisco Unified IP Phone, smartphone, and tablet.

CVE-2024-20272 is an unauthenticated arbitrary file upload vulnerability in the web-based management interface of Cisco Unity Connection that could be exploited by a remote, unauthenticated threat actor to upload arbitrary files to a targeted system, execute commands on the underlying operating system and gain root privileges.

CVE-2024-20272, reported by software development consultant Maxim Suslov, affects Cisco Unity Connection software releases 12.5 and 14 - but not version 15.

Vulnerabilities in Cisco solutions are often leveraged by attackers.

Last September, Cisco "Hotfixed" a vulnerability in Cisco Adaptive Security Appliance and Cisco Firepower Threat Defense firewalls that was being exploited in the wild.


News URL

https://www.helpnetsecurity.com/2024/01/11/cve-2024-20272/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2024-01-17 CVE-2024-20272 Unspecified vulnerability in Cisco Unity Connection
A vulnerability in the web-based management interface of Cisco Unity Connection could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system and execute commands on the underlying operating system.
network
low complexity
cisco
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Cisco 4453 231 3079 1833 613 5756