Critical Cisco Unity Connection flaw gives attackers root privileges. Patch now! (CVE-2024-20272)

Cisco has fixed a critical vulnerability (CVE-2024-20272) in Cisco Unity Connection that could allow an unauthenticated attacker to upload arbitrary files and gain root privilege on the affected system.

Cisco Unity Connection is a unified messaging and voicemail solution for email inbox, web browser, Cisco Jabber, Cisco Unified IP Phone, smartphone, and tablet.

About CVE-2024-20272

CVE-2024-20272 is an unauthenticated arbitrary file upload vulnerability in the web-based management interface of Cisco Unity Connection that could be exploited by a remote, unauthenticated threat actor to upload arbitrary files to a targeted system, execute commands on the underlying operating system and gain root privileges.

“This vulnerability is due to a lack of authentication in a specific API and improper validation of user-supplied data,” Cisco noted in the security advisory.

CVE-2024-20272, reported by software development consultant Maxim Suslov, affects Cisco Unity Connection software releases 12.5 (and earlier) and 14 – but not version 15.

Customers are urged to update to the fixed versions as there are no workarounds.

“The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory,” the company stated.

Cisco software under attack

Vulnerabilities in Cisco solutions are often leveraged by attackers.

Last September, Cisco “hotfixed” a vulnerability (CVE-2023-20269) in Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) firewalls that was being exploited in the wild.

The following month, the company fixed an exploited zero-day vulnerability (CVE-2023-20198) that affected networking devices running Cisco IOS XE software.