This advisory is for organizations that use Cisco Unity Connection to support virtualized messaging and voicemail accessibility. If your organization does not use this product, this notification may be discarded.
Summary
Cisco has released a patch to address a critical vulnerability which is due to improper validation of user-supplied data and a lack of authentication in a specific API on the Cisco Unity Connection platform. This vulnerability could allow an unauthenticated remote attacker to use the web-based management interface to upload an arbitrary file and execute commands on the underlying operating system as root.
Currently, there are no reports of this vulnerability having been exploited in the wild.
CVE-2024-20727 – Cisco Unity Connection Unauthenticated Arbitrary File Upload Vulnerability
CSVVv3.1: 7.3
Affected Platforms
Cisco Unity Connection Release |
First Fixed Release |
12.5 and earlier |
12.5.1.19017-4 |
14 |
14.0.1.14006-5 |
15 |
Not vulnerable |
Mitigations
Cisco has released patches to address this vulnerability.
Additional Resources