Cisco fixes critical flaw in Unity Connection that enables attackers to get root access
Take action: If you are using Cisco Unity Connection, now is the time to plan your patch for this week. Luckily, there are no current exploits, but this will change fairly soon. Don't delay, because the hackers will move in one day once there is a PoC public.
Learn More
Cisco has recently fixed a severe security issue in Unity Connection, a comprehensive voicemail and messaging system.
The vulnerability, tracked as CVE-2024-20272 and with an initial CVSS score of 7.3, exists in the web management interface of the software and allowes unauthorized attackers to remotely acquire root access on devices that had not been updated. The flaw enables attackers to upload any file to the system, execute commands, and elevate privileges due to insufficient authentication in a particular API and inadequate validation of user-provided data.
Cisco's Product Security Incident Response Team (PSIRT) has not reported any exploits or proof of concept code.
The fixed versions for different releases of Cisco Unity Connection are as follows:
- For version 12.5 and earlier: 12.5.1.19017-4
- - For version 14: 14.0.1.14006-5
- - Version 15 is not affected by this vulnerability.
