Cisco has patched a critical Unity Connection security flaw that can let unauthenticated attackers remotely gain root privileges on unpatched devices.
Unity Connection is a fully virtualized messaging and voicemail solution for email inboxes, web browsers, Cisco Jabber, Cisco Unified IP Phone, smartphones, or tablets with high availability and redundancy support.
The vulnerability was found in the software's web-based management interface, and it allows attackers to execute commands on the underlying operating system by uploading arbitrary files to targeted and vulnerable systems.
Luckily, Cisco's Product Security Incident Response Team said the company has no evidence of public proof of concept exploits for this vulnerability or active exploitation in the wild.
Today, Cisco also patched ten medium-severity security vulnerabilities in multiple products, allowing attackers to escalate privileges, launch cross-site scripting attacks, inject commands, and more.
The company says that proof-of-concept exploit code is available online for one of these flaws, a command injection vulnerability tracked as CVE-2024-20287 in the web-based management interface of Cisco's WAP371 Wireless Access Point.
Although attackers could exploit this bug to execute arbitrary commands with root privileges on unpatched devices, administrative credentials are also required for successful exploitation.
Cisco says it will not release firmware updates to patch the CVE-2024-20287 security flaw because the Cisco WAP371 device reached end-of-life in June 2019.
The company advises customers with a WAP371 device on their network to migrate to the Cisco Business 240AC Access Point.
In October, Cisco also patched two zero-days exploited to hack over 50,000 IOS XE devices within a single week.
Ivanti warns of Connect Secure zero-days exploited in attacks.
Apache OFBiz RCE flaw exploited to find vulnerable Confluence servers.
Prep for Cisco CCNA & CCNP certifications with this $35 bundle deal.
Zyxel warns of multiple critical vulnerabilities in NAS devices.
Over 40,000 Cisco IOS XE devices infected with backdoor using zero-day.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 10 Jan 2024 20:45:03 +0000