Cisco on Wednesday announced patches for a critical-severity vulnerability in the Unity Connection unified messaging and voicemail solution.
The issue, tracked as CVE-2024-20272, can be exploited remotely, without authentication, to upload arbitrary files to a system, execute commands on the underlying operating system, and elevate privileges to root.
Cisco Unity Connection versions 12.5.1.19017-4 and 14.0.1.14006-5 resolve the flaw.
Both are engineering special releases and Cisco customers are advised to contact the tech giant to receive them.
According to Cisco, there are no workarounds available for this vulnerability.
The tech company is not aware of any in-the-wild exploitation of the bug.
On Wednesday the company warned that proof-of-concept code has been released for a medium-severity security defect in WAP371 Wireless-AC/N dual radio access point, which has been discontinued.
Tracked as CVE-2024-20287, the flaw impacts the web-based management interface of WAP371 devices with Single Point Setup and could lead to command injections.
Described as an improper validation of user-supplied input, the bug allows an attacker authenticated as an administrator to send crafted HTTP requests to the interface of a vulnerable device to execute arbitrary commands with root privileges.
Cisco announced in 2019 that WAP371 had reached end-of-life status and that no software maintenance releases or bug fixes would be shipped starting September 2020.
This week, the company also announced patches for multiple medium-severity flaws in TelePresence Management Suite, ThousandEyes Enterprise Agent, Evolved Programmable Network Manager and Prime Infrastructure, BroadWorks platform, and Identity Services Engine.
Additional information can be found on Cisco's security advisories page.
This Cyber News was published on www.securityweek.com. Publication date: Thu, 11 Jan 2024 13:13:06 +0000