Synopsis: Cisco has addressed a critical security flaw in Unity Connection, a virtualized messaging and voicemail solution.
The vulnerability (CVE-2024-20272) exists in the software’s web-based management interface, enabling unauthenticated attackers to gain root privileges on unpatched devices. Attackers can exploit this flaw by uploading arbitrary files to targeted systems, leading to executing arbitrary commands on the underlying operating system and privilege escalation to root.
While there is no evidence of active exploitation or public proof of concept exploits as of this publication, Cisco has released patches to mitigate the risk associated with this vulnerability.
Action: Upgrade to the most recent Cisco Unity Connection release to mitigate this vulnerability.
Associated Articles:
Cisco says critical Unity Connection bug lets attackers get root