A critical vulnerability of severe severity has been found in Cisco Unity Connection’s web-based management interface.
This flaw might allow a remote, unauthenticated attacker to upload arbitrary files to a compromised system and run commands on the underlying operating system.
With its various message access choices, Cisco Unity Connection is a powerful unified messaging and voicemail solution that helps you collaborate more quickly.
Cisco has published software upgrades to address this critical vulnerability. There are no workarounds for this vulnerability.
Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.
Unauthenticated Arbitrary File Upload Vulnerability
With a CVSS score of 7.3, the Cisco unity connection unauthenticated arbitrary file upload vulnerability is tracked as CVE-2024-20272.
“A vulnerability in the web-based management interface of Cisco Unity Connection could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system and execute commands on the underlying operating system,” Cisco said.
“This vulnerability is due to a lack of authentication in a specific API and improper validation of user-supplied data.”
An attacker could exploit this vulnerability by uploading arbitrary files to a compromised system. If the exploit is successful, the attacker might be able to run arbitrary operating system commands, store malicious files on the system, and gain root access.
The Product Security Incident Response Team (PSIRT) at Cisco stated that the organization is unaware of any malicious use or public announcements about the vulnerability detailed in this warning.
Affected Products
This vulnerability impacts the Cisco Unity Connection.
Patch Available
Free software upgrades that fix the issue have been made available by Cisco.
| Cisco Unity Connection Release | First Fixed Release |
|---|---|
| 12.5 and earlier | 12.5.1.19017-41 |
| 14 | 14.0.1.14006-51 |
| 15 | Not vulnerable |
It is recommended that users upgrade to the latest version to prevent this vulnerability from getting exploited.
Try Kelltron’s cost-effective penetration testing services for free to assess and evaluate the security posture of digital systems.