On 10 January 2024, Cisco disclosed a critical vulnerability, CVE-2024-20272, with a CVSS score of 7.3, in their Cisco Unity Connection software. This vulnerability allows an unauthenticated remote attacker to upload arbitrary files and execute commands on the underlying operating system. Cisco has released a patch to address the issue.
While there is no evidence of active exploitation in the wild or public proof-of-concept exploit code at this time, numerous Cisco products have been listed in CISA’s Known Exploited Vulnerabilities Catalog. Due to the large market share held by Cisco, threat actors may attempt to develop exploit code by reverse engineering fixed versions of the software.
Arctic Wolf strongly recommends upgrading Cisco Unity Connection as soon as possible to mitigate the risk posed by this vulnerability.
| Affected Versions | Fixed Version |
| Cisco Unity Connection 14 | 14.0.1.14006-5 |
| Cisco Unity Connection 12.5 and earlier | 12.5.1.19017-4 |
Recommendation for CVE-2024-20272
Recommendation: Upgrade to a Fixed Version of Cisco Unity Connection
Arctic Wolf strongly recommends upgrading to a fixed version of Cisco Unity Connection as described in Cisco’s security advisory.
Please note that this release must be specifically requested from Cisco Technical Assistance Center (TAC), and it is not available for download directly from the Download Center. Only Cisco customers with service contracts providing access to regular software updates will have access to it. Cisco TAC contact information.
| Affected Versions | Fixed Version |
| Cisco Unity Connection 14 | 14.0.1.14006-5 |
| Cisco Unity Connection 12.5 and earlier | 12.5.1.19017-4 |
References
