Executive Summary
Cisco addressed 12 vulnerabilities in January. One of the vulnerabilities, CVE-2024-20272, identified in Cisco’s Unity Connection software is classified as high-severity. It has the potential to enable an unauthenticated remote attacker to obtain root privileges on vulnerable devices.
Also, proof-of-concept exploit code is available for a medium-severity command injection vulnerability in the end-of-life Cisco WAP371 Wireless-AC/N Dual Radio Access Point.
Organisations using Cisco products should promptly review Cisco’s advisories, prioritise updates based on risk, and stay vigilant against potential exploits.
Provided below is a summary of Cisco’s recent advisories. Additionally, please refer to Cisco’s security advisory list for detailed information on the security fixes.
CVE-2024-20272
CVE-2024-20272, with a CVSS score of 7.3, affects the web-based management interface of Cisco Unity Connection, a messaging platform and voicemail system. This vulnerability allows an unauthenticated, remote attacker to upload arbitrary files to an affected system and potentially gain root privileges on vulnerable devices. Please refer to Cisco’s security advisory for the vulnerability details and fixes.
Medium-Severity Vulnerabilities
Cisco also resolved 11 medium-severity vulnerabilities across its various software products. These included issues in the Identity Services Engine, WAP371 Wireless Access Point, ThousandEyes Enterprise Agent, and TelePresence Management Suite (TMS).
It is important to mention that proof-of-concept exploit code is available online for one of those, which Cisco acknowledges. This vulnerability, tracked as CVE-2024-20287, is a command injection vulnerability found in the web-based management interface of the Cisco WAP371 Wireless-AC/N Dual Radio Access Point. It has a CVSS score of 6.5. Attackers could exploit it to execute arbitrary commands with root privileges, but administrative credentials are also required for successful exploitation.
Cisco has stated that it will not release firmware updates to patch this security flaw because the WAP371 device has reached end-of-life, and it advises customers to migrate to the Cisco Business. Please refer to Cisco’s security advisory for the details.
Critical Security Fix of Cisco in December
Cisco released a patch for Identity Services Engine (ISE) to address CVE-2023-50164 in late December. It is a critical Remote Code Execution (RCE) vulnerability in Struts, with a CVSS score of 9.8.
Apache had fixed it earlier in December. Please note that a proof-of-concept exploit code is available for the vulnerability and experts have observed exploit attempts for it. Please refer to our prior articles for more information about this vulnerability.
- [CVSS 9+]: Exploit Attempts for Apache Struts Vulnerability
- [CVSS 9+] Apache Struts Vulnerability: Update Now!
Call for Action
We advise organisations to act swiftly in response to Cisco’s recently disclosed vulnerabilities. It is crucial to review the advisories, prioritise vulnerabilities based on their risk, and apply necessary updates, especially those for which proof-of-concept exploit codes are available. Additionally, please assess the impact on your systems and plan to migrate from end-of-life products like Cisco WAP371 to supported alternatives. Lastly, remain vigilant for any signs of exploitation attempts, especially for vulnerabilities with known proof-of-concept codes. Taking prompt and decisive actions is essential for maintaining network security and integrity.