On 10 January 2024, Cisco fixed a high severity vulnerability (CVE-2024-20272, CVSS: 7.3) affecting specific versions of Cisco Unity Connection. Affected products and first fixed versions below:
Product and Version | First Fixed Release |
Cisco Unity Connection 12.5 | 12.5.1.19017-4 |
Cisco Unity Connection 14 | 14.0.1.14006-5 |
Cisco Unity Connection 15 | Not vulnerable |
The vulnerability exists in a specific API of the web-based management interface which fails to properly validate user-supplied data, subsequently enabling unauthenticated upload of arbitrary files.
This vulnerability may lead to significant security ramifications as a potential attacker may exploit it to deliver malware or files to be used in a broader attack chain, alongside carrying out threats with potential to affect the confidentiality, integrity and/or availability of any data on the system.
It is important to note there is no workaround; remediation involves patching.