Cisco has successfully addressed a high-severity security vulnerability in Unity Connection. This flaw had the potential to allow unauthenticated attackers to upload malicious files, execute arbitrary commands, and acquire root privileges on the affected devices.
Details of the Cisco Unity Connection Vulnerability (CVE-2024-20272)
Identified as CVE-2024-20272, this vulnerability carries a CVSS score of 7.3. Despite being classified with critical severity by Cisco, it is crucial to note that it is non-local, requiring neither authentication, privileges, nor user interaction.
The vulnerability, as outlined in Cisco’s advisory, is attributed to a lack of authentication in a specific API and inadequate validation of user-supplied data. This issue specifically impacts the web-based management interface of Cisco Unity Connection, a messaging and voicemail system, posing a substantial security threat.
To exploit CVE-2024-20272, the attacker must upload arbitrary files to the targeted system. A successful exploitation provides the capability to store malicious files, execute arbitrary commands on the operating system, and elevate privileges to root level.
Although primarily categorized as an arbitrary file upload vulnerability, its capacity for privilege escalation raises substantial concerns. Our examination of CISA’s KEV Catalog for 2023 emphasized privilege escalation as the most frequently exploited vulnerability type, with code execution and command injection vulnerabilities closely following. This points to an escalating trend in the exploitation of these vulnerabilities, underscoring the imperative to strengthen our defenses accordingly.
Affected Cisco Unity Connection Versions
Cisco swiftly mitigated the security concern by issuing patches specifically designed for the impacted Unity Connection versions. Given the absence of viable workarounds, the installation of security patches becomes imperative to prevent potential exploitation.
The resolved versions for Cisco Unity Connection are as follows:
- For releases 12.5 and earlier: 188.8.131.5217-41
- For release 14: 184.108.40.20606-51
It is important to note that Cisco has confirmed Unity Connection release 15 to be unaffected by the identified vulnerability, CVE-2024-20272.