Summary:
Cisco patched a critical vulnerability tracked as CVE-2024-20272 in their Unity Connection product. The flaw could allow an unauthenticated attacker to remotely gain root privileges on unpatched devices. Unity Connection is a fully virtualized messaging and voicemail solution for email inboxes, web browsers, Cisco Jabber, Cisco Unified IP Phone, smartphones, or tablets with high availability and redundancy support.

The vulnerability resides in the software’s web-based management interface, and specifically allows an attacker to execute commands on the operating system by uploading arbitrary files to targeted and vulnerable systems. Lack of authentication on a specific API and improper validation of user-supplied data is the result of the flaw. Cisco says, "A successful exploit could allow the attacker to store malicious files on the system, execute arbitrary commands on the operating system, and elevate privileges to root."

Security Officer Comments:
While the flaw is severe, Cisco’s PSIRT team says there is no evidence of available proof-of-concept code online, and no reports of active exploitation in the wild.

Cisco Unity Connection 12.5 and earlier and 14 will need to be patched to avoid targeted exploitation. Release 15 is not vulnerable to the issue.

Suggested Corrections:
For more information on the vulnerability, users should view the official alert from Cisco which can be found at:

https://sec.cloudapps.cisco.com/sec...rityAdvisory/cisco-sa-cuc-unauth-afu-FROYsCsD.

Threat actors and researchers will likely develop a proof-of-concept for the vulnerability in the coming days, so organizations should actively patch against the flaw before active exploitation occurs.

Link(s):
https://www.bleepingcomputer.com/ne...unity-connection-bug-lets-attackers-get-root/