CVE-2024-20272- Cisco Unity Connection Unauthenticated Arbitrary File Upload Vulnerability

This advisory is for organizations that use Cisco Unity Connection to support virtualized messaging and voicemail accessibility. If your organization does not use this product, this notification may be discarded.

Summary

Cisco has released a patch to address a critical vulnerability which is due to improper validation of user-supplied data and a lack of authentication in a specific API on the Cisco Unity Connection platform.  This vulnerability could allow an unauthenticated remote attacker to use the web-based management interface to upload an arbitrary file and execute commands on the underlying operating system as root.

Currently, there are no reports of this vulnerability having been exploited in the wild.

CVE-2024-20727 – Cisco Unity Connection Unauthenticated Arbitrary File Upload Vulnerability

                CSVVv3.1: 7.3

Affected Platforms

Mitigations

Cisco has released patches to address this vulnerability.

Additional Resources

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cuc-unauth-afu-FROYsCsD

https://www.bleepingcomputer.com/news/security/cisco-says-critical-unity-connection-bug-lets-attackers-get-root/

https://www.cisecurity.org/advisory/a-vulnerability-in-cisco-unity-connection-could-allow-for-arbitrary-code-execution_2024-003