Cisco has released application updates to address a critical security flaw impacting Unity Link that could permit an adversary to execute arbitrary commands on the underlying system.
Tracked as CVE-2024-20272 (CVSS score: 7.3), the vulnerability is an arbitrary file add bug residing in the web-centered administration interface and is the result of a absence of authentication in a unique API and poor validation of consumer-equipped info.
“An attacker could exploit this vulnerability by uploading arbitrary data files to an afflicted process,” Cisco stated in an advisory released Wednesday. “A successful exploit could let the attacker to retail store malicious documents on the system, execute arbitrary commands on the working method, and elevate privileges to root.”
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
The flaw impacts the following variations of Cisco Unity Connection. Version 15 is not vulnerable.
- 12.5 and before (Preset in variation 12.5.1.19017-4)
- 14 (Mounted in model 14..1.14006-5)
Security researcher Maxim Suslov has been credited with discovering and reporting the flaw. Cisco helps make no mention of the bug being exploited in the wild, but it is really advised that end users update to a preset variation to mitigate opportunity threats.
Along with the patch for CVE-2024-20272, Cisco has also delivered updates to take care of 11 medium-severity vulnerabilities spanning its application, like Identification Products and services Motor, WAP371 Wi-fi Access Level, ThousandEyes Organization Agent, and TelePresence Administration Suite (TMS).
Cisco, however, mentioned that it does not intend to launch a correct for the command injection bug in WAP371 (CVE-2024-20287, CVSS rating: 6.5), stating that the gadget has achieved end-of-lifestyle (EoL) as of June 2019. It really is instead recommending shoppers migrate to the Cisco Enterprise 240AC Obtain Issue.
Identified this post fascinating? Abide by us on Twitter and LinkedIn to read a lot more unique content material we write-up.
Some elements of this posting are sourced from:
thehackernews.com
NoaBot: Latest Mirai-Based Botnet Targeting SSH Servers for Crypto Mining