High-Risk Vulnerability Impacting Cisco Unity Connection Software [CVE-2024-20272]

Cisco has issued software updates to rectify a critical security flaw affecting Unity Connection, potentially enabling a malicious actor to execute arbitrary commands on the underlying system.

Tracked under the identifier CVE-2024-20272 (CVSS score: 7.3), the vulnerability is attributed to an arbitrary file upload glitch located in the web-based management interface. This issue arises due to a lack of authentication in a specific API and the improper validation of user-supplied data.

In a released advisory on Wednesday, Cisco emphasized, “An attacker could exploit this vulnerability by uploading arbitrary files to an affected system.” The successful exploitation of this flaw could empower the attacker to deposit malicious files on the system, execute arbitrary commands on the operating system, and escalate privileges to root.

The following versions of Cisco Unity Connection are affected, with Version 15 identified as non-vulnerable:

• 12.5 and earlier (Resolved in version 12.5.1.19017-4)
• 14 (Resolved in version 14.0.1.14006-5)

Security researcher Maxim Suslov is credited with the discovery and reporting of the flaw. While Cisco has not mentioned any instances of the bug being exploited in the wild, users are strongly advised to update to the patched versions to minimize potential threats.

In addition to addressing CVE-2024-20272, Cisco has released updates to address 11 medium-severity vulnerabilities across its software portfolio, including Identity Services Engine, WAP371 Wireless Access Point, ThousandEyes Enterprise Agent, and TelePresence Management Suite (TMS).

However, Cisco has clarified that it does not intend to provide a fix for the command injection vulnerability in WAP371 (CVE-2024-20287, CVSS score: 6.5). The company stated that the device has reached end-of-life (EoL) as of June 2019 and recommends customers migrate to the Cisco Business 240AC Access Point.