Systems Engineering is aware of the Cisco Unity Connection Unauthenticated Arbitrary File Upload Vulnerability, CVE: CVE-2024-20272.
Cisco rates this vulnerability as CRITICAL.
Description
Cisco announced a vulnerability in the web-based management interface of Cisco Unity Connection (Voicemail) that could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system and execute commands on the underlying operating system. A successful attack would allow a malicious attacker to have complete control over the system by obtaining root access. Once they have root access, they can execute malicious commands or attack other aspects of a network. The attacker does not need to compromise credentials to exploit this vulnerability.
Scope
This vulnerability is specific to Cisco Unity Connection Phone System servers. Per Cisco’s Security Advisory notice, the specific versions that are affected are as follows:
Course of Action
Cisco has released a patch to remediate affected systems.
Clients who have Systems Engineering manage their Cisco United Connect servers will proactively patch your systems and will be in touch about remediating this vulnerability.
For clients who manage their own Cisco Unity Connection servers, we strongly recommend you have your affected systems patched for this vulnerability. If you would like our assistance with patching, please reach out to Systems Engineering Customer Service at 207.772.4199 to have a ticket opened to get your system updated.
If you are a Systems Engineering client and have questions about this Security Alert, please contact your Account Manager.