Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Cisco Patches Critical Vulnerability in Unity Connection Product

Cisco Unity Connection flaw could allow remote, unauthenticated attackers to upload arbitrary files and execute commands on the system.

Cisco on Wednesday announced patches for a critical-severity vulnerability in the Unity Connection unified messaging and voicemail solution.

The issue, tracked as CVE-2024-20272, can be exploited remotely, without authentication, to upload arbitrary files to a system, execute commands on the underlying operating system, and elevate privileges to root.

“This vulnerability is due to a lack of authentication in a specific API and improper validation of user-supplied data. An attacker could exploit this vulnerability by uploading arbitrary files to an affected system,” Cisco explains in its advisory.

Cisco Unity Connection versions 12.5.1.19017-4 and 14.0.1.14006-5 resolve the flaw. Both are engineering special releases and Cisco customers are advised to contact the tech giant to receive them.

According to Cisco, there are no workarounds available for this vulnerability. The tech company is not aware of any in-the-wild exploitation of the bug.

On Wednesday, however, the company warned that proof-of-concept (PoC) code has been released for a medium-severity security defect in WAP371 Wireless-AC/N dual radio access point, which has been discontinued.

Tracked as CVE-2024-20287, the flaw impacts the web-based management interface of WAP371 devices with Single Point Setup and could lead to command injections.

Described as an improper validation of user-supplied input, the bug allows an attacker authenticated as an administrator to send crafted HTTP requests to the interface of a vulnerable device to execute arbitrary commands with root privileges.

Advertisement. Scroll to continue reading.

Cisco announced in 2019 that WAP371 had reached end-of-life (EOL) status and that no software maintenance releases or bug fixes would be shipped starting September 2020.

The company recommends that customers still using the discontinued product migrate to the Cisco Business 240AC AP.

“The Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerability,” Cisco notes, adding that it has not observed malicious exploitation of the bug.

This week, the company also announced patches for multiple medium-severity flaws in TelePresence Management Suite (TMS), ThousandEyes Enterprise Agent, Evolved Programmable Network Manager (EPNM) and Prime Infrastructure, BroadWorks platform, and Identity Services Engine (ISE).

Additional information can be found on Cisco’s security advisories page.

Related: Exploitation of Recent Cisco IOS XE Vulnerabilities Spikes

Related: Cisco Patches 27 Vulnerabilities in Network Security Products

Related: Rockwell Automation Warns Customers of Cisco Zero-Day Affecting Stratix Switches

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.