January 11, 2024 at 04:01AM
Cisco has issued software updates to address a critical security flaw (CVE-2024-20272 – CVSS score: 7.3) in Unity Connection, allowing arbitrary file upload and execution of commands. Users are advised to update to patched versions to mitigate potential threats. Additionally, 11 medium-severity vulnerabilities have been resolved across Cisco software. Cisco will not release a fix for the command injection bug in WAP371 and advises migration to Cisco Business 240AC Access Point.
Key takeaways from the meeting notes:
1. Cisco has released software updates to address a critical security flaw impacting Unity Connection, tracked as CVE-2024-20272 with a CVSS score of 7.3. This vulnerability allows an attacker to execute arbitrary commands on the underlying system through an arbitrary file upload bug in the web-based management interface.
2. The affected versions of Cisco Unity Connection are 12.5 and earlier (fixed in version 12.5.1.19017-4) and version 14 (fixed in version 14.0.1.14006-5). Version 15 is not vulnerable.
3. Security researcher Maxim Suslov discovered and reported the flaw. Although there is no mention of the bug being exploited in the wild, users are advised to update to a fixed version to mitigate potential threats.
4. In addition to the patch for CVE-2024-20272, Cisco has shipped updates to resolve 11 medium-severity vulnerabilities spanning its software, including Identity Services Engine, WAP371 Wireless Access Point, ThousandEyes Enterprise Agent, and TelePresence Management Suite (TMS).
5. Cisco has not intended to release a fix for the command injection bug in WAP371 (CVE-2024-20287, CVSS score: 6.5) due to the device reaching end-of-life as of June 2019. It’s recommending customers migrate to the Cisco Business 240AC Access Point.
Overall, users are urged to apply the necessary updates to mitigate potential security threats and stay informed about security-related developments by following Cisco’s official channels on Twitter and LinkedIn.