Advisory No: TZCERT/SA/2024/02/02
Date of First Release: 2nd February 2024
- Unified CM, Unified CM SME, Unified CM IM&P and Unity Connection
Unified CM and Unity Connection are affected by vulnerabilities tracked as CVE-2024-20253 which could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device and CVE-2024-20272 which allows remote attacker to upload arbitrary files to an affected system and execute commands on the underlying operating system respectively.
CVE-2024-20253 is resulting from the improper processing of user-provided data that is being read into memory. An attacker could exploit this vulnerability by sending a special crafted message to a listening port of an affected device. With access to the underlying operating system, the attacker could also establish root access. CVE-2024-20272 that affects Cisco Unit Connection is due to lack of authentication in a specific API and improper validation of user-supplied data which allows the attacker to upload arbitrary files to an affected system, execute arbitrary commands on the operating system upon successful exploitation, and elevate privileges to root.
Successful exploitation of these vulnerabilities may allow the remote attacker to take control of the affected system.
Cisco has released security updates to resolve these vulnerabilities. Users and administrations are encouraged to update as soon as possible.