Cisco has ushered in 2024 with a critical vulnerability in its Cisco Unity Connection unified messaging and voicemail product.
Cisco’s advisory for CVE-2024-20272 explains that the bug exists in Unity Connection’s web management interface.
The bug was discovered by Maxim Suslov. Cisco said it’s not aware of any exploits in the wild.
“This vulnerability is due to a lack of authentication in a specific API and improper validation of user-supplied data,” the advisory states.
It allows an attacker to upload arbitrary files to the system and execute operating system commands.
“A successful exploit could allow the attacker to store malicious files on the system, execute arbitrary commands on the operating system, and elevate privileges to root,” it adds.
There is no workaround for the bug.
The vulnerability affects Unity Connection version 12.5 and earlier; and version 14. Fixed software is available for both branches, and Version 15 is not vulnerable.
Users should note that the fixes aren’t available through the Cisco software download centre; rather, it’s an “engineering special” release, and customers have to contact Cisco’s Technical Assistance Centre (TAC) to obtain the fix.