Critical Cisco Unity Connection Flaw Let Attackers Run Command as Root User
A excessive vulnerability of excessive severity has been chanced on in Cisco Solidarity Connection’s web-primarily based mostly management interface.
This flaw may perchance enable a a ways-off, unauthenticated attacker to upload arbitrary recordsdata to a compromised machine and urge instructions on the underlying running machine.
With its varied message rep entry to solutions, Cisco Solidarity Connection is a highly efficient unified messaging and voicemail answer that helps you collaborate extra rapid.
Cisco has published instrument upgrades to address this excessive vulnerability. There are no longer any workarounds for this vulnerability.
Fastrack Compliance: The Course to ZERO-Vulnerability
Compounding the subject are zero-day vulnerabilities address the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that rep chanced on every month. Delays in fixing these vulnerabilities lead to compliance concerns, these delay will also be minimized with a clear feature on AppTrana that helps you to rep “Zero vulnerability document” interior 72 hours.
Unauthenticated Arbitrary File Upload Vulnerability
With a CVSS rep of 7.3, the Cisco cohesion connection unauthenticated arbitrary file upload vulnerability is tracked as CVE-2024-20272.
“A vulnerability in the on-line-primarily based mostly management interface of Cisco Solidarity Connection can also enable an unauthenticated, a ways-off attacker to upload arbitrary recordsdata to an affected machine and carry out instructions on the underlying running machine,” Cisco said.
“This vulnerability is due to the an absence of authentication in a particular API and defective validation of user-supplied recordsdata.”
An attacker can also exploit this vulnerability by importing arbitrary recordsdata to a compromised machine. If the exploit is profitable, the attacker could be ready to urge arbitrary running machine instructions, retailer malicious recordsdata on the machine, and rep root rep entry to.
The Product Security Incident Response Team (PSIRT) at Cisco said that the group is blind to any malicious exercise or public bulletins referring to the vulnerability detailed on this warning.
Affected Products
This vulnerability impacts the Cisco Solidarity Connection.
Patch Readily obtainable
Free instrument upgrades that repair the subject rep been made readily obtainable by Cisco.
Cisco Solidarity Connection Birth | First Mounted Birth |
---|---|
12.5 and earlier | 12.5.1.19017-41 |
14 | 14.0.1.14006-51 |
15 | Now now not vulnerable |
It is recommended that users make stronger to basically the most well liked model to cease this vulnerability from getting exploited.
Source credit : cybersecuritynews.com