Cisco fixes a high-risk vulnerability affecting Unity Connection software

Unity Connection Software

Cisco has released software updates to address a critical security flaw that affects Unity Connection and could allow an adversary to execute arbitrary commands on the underlying system.

Tracked as CVE-2024-20272 (CVSS score: 7.3), the vulnerability is a random file upload bug that resides in the web-based management interface and results from a lack of authentication in a specific API and improper validation of user-supplied data .

“An attacker could exploit this vulnerability by uploading arbitrary files to an affected system,” Cisco said said in an advisory released Wednesday. “A successful exploit could allow the attacker to store malicious files on the system, execute arbitrary commands on the operating system, and escalate privileges to root.”

The bug affects subsequent versions of Cisco Unity Connection. Version 15 is not vulnerable.

  • 12.5 and earlier (fixed in version 12.5.1.19017-4)
  • 14 (fixed in version 14.0.1.14006-5)

Security researcher Maxim Suslov is credited with discovering and reporting the flaw. Cisco makes no mention of the bug being exploited in the wild, but it is recommended that users update to a fixed version to mitigate potential threats.

In addition to the patch for CVE-2024-20272, Cisco also released updates to address 11 moderate vulnerabilities in its software, including Identity Services Engine, WAP371 Wireless Access Point, ThousandEyes Enterprise Agent, and TelePresence Management Suite (TMS).

However, Cisco noted that it does not plan to release a fix for the command injection bug in WAP371 (CVE-2024-20287CVSS Score: 6.5), which states that the device has reached End of Life (EoL) as of June 2019. Instead, customers are recommended to migrate to the Cisco Business 240AC Access Point.

 

#Cisco #fixes #highrisk #vulnerability #affecting #Unity #Connection #software

Total
0
Shares
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Previous Post
Zero-Day Flaws in Ivanti

Chinese hackers exploit zero-day flaws in Ivanti Connect Secure and Policy Secure

Next Post
Twitter Brute-Force Attack

Mandiant’s X account has been hacked with a brute-force attack

Related Posts