Cisco has addressed a critical flaw in its Unity Connection that can be exploited by a remote, unauthenticated attacker to gain root privileges on vulnerable devices.
Cisco Unity Connection is a messaging platform and voicemail system that is part of the Cisco Unified Communications suite of products.
The vulnerability tracked as CVE-2024-20272 resides in the web-based management interface of Cisco Unity Connection. A remote, unauthenticated attacker can exploit the issue to upload arbitrary files to an affected system and execute commands on the underlying operating system.
The flaw impacts the following versions of Cisco Unity Connection. Version 15 is not vulnerable.
- 12.5 and earlier (Fixed in version 12.5.1.19017-4)
- 14 (Fixed in version 14.0.1.14006-5)
Cisco’s advisory states that there are no workarounds that address this vulnerability and urges customers to install security patches to fix the bug.
The Cisco PSIRT is not aware of attacks in the wild exploiting this vulnerability.
