Cisco patches unified messaging bug

4 months ago AndyC

Cisco has ushered in 2024 with a critical vulnerability in its Cisco Unity Connection unified messaging and voicemail product.

Cisco patches unified messaging bug

Cisco has ushered in 2024 with a critical vulnerability in its Cisco Unity Connection unified messaging and voicemail product.




Cisco patches unified messaging bug










Cisco’s advisory for CVE-2024-20272 explains that the bug exists in Unity Connection’s web management interface.

The bug was discovered by Maxim Suslov. Cisco said it’s not aware of any exploits in the wild.

“This vulnerability is due to a lack of authentication in a specific API and improper validation of user-supplied data,” the advisory states.

It allows an attacker to upload arbitrary files to the system and execute operating system commands.

“A successful exploit could allow the attacker to store malicious files on the system, execute arbitrary commands on the operating system, and elevate privileges to root,” it adds.

There is no workaround for the bug.

The vulnerability affects Unity Connection version 12.5 and earlier; and version 14. Fixed software is available for both branches, and Version 15 is not vulnerable.

Users should note that the fixes aren’t available through the Cisco software download centre; rather, it’s an “engineering special” release, and customers have to contact Cisco’s Technical Assistance Centre (TAC) to obtain the fix.



About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , ,

More Stories

Too much of a good thing? How security sprawl can weaken defences

Too much of a good thing? How security sprawl can weaken defences

2 days ago AndyC
Kinsing malware exploits Apache Tomcat on Linux clouds

Kinsing malware exploits Apache Tomcat on Linux clouds

2 days ago AndyC
LogicMonitor launches LM Cost Optimisation tool for businesses

LogicMonitor launches LM Cost Optimisation tool for businesses

2 days ago AndyC
Organisations battle AI risks amid rise in supply chain attacks

Organisations battle AI risks amid rise in supply chain attacks

2 days ago AndyC
AUCloud Ramps Expands its Senior Leadership Team

AUCloud Ramps Expands its Senior Leadership Team

2 days ago AndyC
Cyberattacks exploiting trusted ties spanned over a month in 2023

Cyberattacks exploiting trusted ties spanned over a month in 2023

2 days ago AndyC

You may have missed

North Korea-linked IT workers infiltrated hundreds of US firms

North Korea-linked IT workers infiltrated hundreds of US firms

10 hours ago AndyC
The who, where, and how of APT attacks – Week in security with Tony Anscombe

The who, where, and how of APT attacks – Week in security with Tony Anscombe

19 hours ago AndyC
Turla APT used two new backdoors to infiltrate a European ministry of foreign affairs

Turla APT used two new backdoors to infiltrate a European ministry of foreign affairs

1 day ago AndyC

Friday Squid Blogging: Emotional Support Squid

1 day ago AndyC

How to Protect Yourself on Social Networks

1 day ago AndyC

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.