Cisco has released application updates to address a critical security flaw impacting Unity Link that could permit an adversary to execute arbitrary commands on the underlying system.
Tracked as CVE-2024-20272 (CVSS score: 7.3), the vulnerability is an arbitrary file add bug residing in the web-centered administration interface and is the result of a absence of authentication in a unique API and poor validation of consumer-equipped info.
“An attacker could exploit this vulnerability by uploading arbitrary data files to an afflicted process,” Cisco stated in an advisory released Wednesday. “A successful exploit could let the attacker to retail store malicious documents on the system, execute arbitrary commands on the working method, and elevate privileges to root.”
The flaw impacts the following variations of Cisco Unity Connection. Version 15 is not vulnerable.
- 12.5 and before (Preset in variation 18.104.22.16817-4)
- 14 (Mounted in model 14..1.14006-5)
Security researcher Maxim Suslov has been credited with discovering and reporting the flaw. Cisco helps make no mention of the bug being exploited in the wild, but it is really advised that end users update to a preset variation to mitigate opportunity threats.
Along with the patch for CVE-2024-20272, Cisco has also delivered updates to take care of 11 medium-severity vulnerabilities spanning its application, like Identification Products and services Motor, WAP371 Wi-fi Access Level, ThousandEyes Organization Agent, and TelePresence Administration Suite (TMS).
Cisco, however, mentioned that it does not intend to launch a correct for the command injection bug in WAP371 (CVE-2024-20287, CVSS rating: 6.5), stating that the gadget has achieved end-of-lifestyle (EoL) as of June 2019. It really is instead recommending shoppers migrate to the Cisco Enterprise 240AC Obtain Issue.
Identified this post fascinating? Abide by us on Twitter and LinkedIn to read a lot more unique content material we write-up.
Some elements of this posting are sourced from: