Cisco Unity critical vulnerability

Summary

Cisco has patched a critical vulnerability in their Unity product. The vulnerability allows unauthorized attackers to gain remote access to root privileges on the unpatched devices. At the moment of writing Cisco confirmed that this is not being exploited in the wild.

CVE-2024-20272 CVSS 3.1, 7.3: located in the web-based management interface. The vulnerability allows attackers to execute commands by uploading arbitrary files and allows to elevate privileges to root.

Affected products

Version 12.5 and earlier versions

Version 14

Security recommendations

Cisco recommends to update to version:

• 5.1.19017-4
• 0.1.14006-5
• Version 15 not vulnerable