Cisco Fixes High-Risk Vulnerability Impacting Unity Connection Software
Jan 11, 2024
Vulnerability / Patch Management
Cisco has released software updates to address a critical security flaw impacting Unity Connection that could permit an adversary to execute arbitrary commands on the underlying system. Tracked as CVE-2024-20272 (CVSS score: 7.3), the vulnerability is an arbitrary file upload bug residing in the web-based management interface and is the result of a lack of authentication in a specific API and improper validation of user-supplied data. "An attacker could exploit this vulnerability by uploading arbitrary files to an affected system," Cisco said in an advisory released Wednesday. "A successful exploit could allow the attacker to store malicious files on the system, execute arbitrary commands on the operating system, and elevate privileges to root." The flaw impacts the following versions of Cisco Unity Connection. Version 15 is not vulnerable. 12.5 and earlier (Fixed in version 12.5.1.19017-4) 14 (Fixed in version 14.0.1.14006-5) Security researcher Maxim ...