Cisco has launched software program updates to handle a important security flaw impacting Unity Connection that might allow an adversary to execute arbitrary instructions on the underlying system.
Tracked as CVE-2024-20272 (CVSS rating: 7.3), the vulnerability is an arbitrary file add bug residing within the web-based administration interface and is the results of a scarcity of authentication in a particular API and improper validation of user-supplied knowledge.
“An attacker may exploit this vulnerability by importing arbitrary information to an affected system,” Cisco stated in an advisory launched Wednesday. “A profitable exploit may enable the attacker to retailer malicious information on the system, execute arbitrary instructions on the working system, and elevate privileges to root.”
The flaw impacts the next variations of Cisco Unity Connection. Model 15 shouldn’t be susceptible.
- 12.5 and earlier (Fastened in model 12.5.1.19017-4)
- 14 (Fastened in model 14.0.1.14006-5)
Safety researcher Maxim Suslov has been credited with discovering and reporting the flaw. Cisco makes no point out of the bug being exploited within the wild, nevertheless it’s suggested that customers replace to a hard and fast model to mitigate potential threats.
Alongside the patch for CVE-2024-20272, Cisco has additionally shipped updates to resolve 11 medium-severity vulnerabilities spanning its software program, together with Id Providers Engine, WAP371 Wi-fi Entry Level, ThousandEyes Enterprise Agent, and TelePresence Administration Suite (TMS).
Cisco, nevertheless, famous that it doesn’t intend to launch a repair for the command injection bug in WAP371 (CVE-2024-20287, CVSS rating: 6.5), stating that the system has reached end-of-life (EoL) as of June 2019. It is as an alternative recommending prospects migrate to the Cisco Enterprise 240AC Entry Level.
