Cisco Unity Connection [1] [2] [3] [4] [5] [6] [7] [8] [9], a messaging and voicemail product [2], has recently addressed a critical security flaw (CVE-202420272) that allows a remote attacker to gain root privileges without authentication.


This vulnerability, discovered by Maxim Suslov [3], is an unauthenticated arbitrary file upload vulnerability in the web-based management interface of Cisco Unity Connection [4] [7]. It can be exploited by uploading arbitrary files and executing commands on the underlying operating system [3]. Versions 12.5 and 14 of Cisco Unity Connection are affected, but the most recent version, 15 [2], is unaffected [2]. Cisco advises customers to install the necessary security patches as there are no effective workarounds [3].

In addition to the patch for CVE-202420272, Cisco has also released updates for 11 medium-severity vulnerabilities in its software [1] [5]. Cisco Unity Connection is a robust unified messaging and voicemail solution designed for complex distributed global deployments and can be run on virtualized hardware.


Customers are advised to install the necessary security patches for Cisco Unity Connection to mitigate the risk of unauthorized access. It is important to note that Cisco will not release a fix for the command injection bug in WAP371, as the device has reached end-of-life [5]. Customers are advised to migrate to the Cisco Business 240AC Access Point [5]. There have been no public disclosures or reports of malicious use of this vulnerability [2]. Cisco’s prompt response to addressing the security flaw demonstrates their commitment to ensuring the security of their products.