Cisco Unity Connection Unauthenticated Arbitrary File Upload Vulnerability (CVE-2024-20272)

Cisco has released a patch to address an arbitrary file upload vulnerability tracked as CVE-2024-20272. Successful exploitation of the vulnerability could allow the attacker to store malicious files on the system and execute arbitrary commands on the operating system.

Cisco Unity Connection (CUC) is a voicemail and unified messaging platform that provides flexible message access options and management simplicity. It’s based on the same Linux Unified Communications Operating System as Cisco Unified Communications Manager.

Vulnerability Description

This vulnerability in the web-based management interface of Cisco Unity Connection originates from a lack of authentication in a specific API and improper validation of user-supplied data. An unauthenticated, remote attacker may exploit this vulnerability by uploading arbitrary files to the target system. Successful exploitation of the vulnerability may allow an attacker to store malicious files, execute arbitrary commands on the operating system, and elevate privileges to root.

Affected Versions

  • Cisco Unity Connection before
  • Cisco Unity Connection from 14 and before


  • Cisco Unity Connection
  • Cisco Unity Connection

Customers can refer to the Cisco Security Advisory (cisco-sa-cuc-unauth-afu-FROYsCsD) for information about the vulnerability.

Qualys Detection

Qualys customers can scan their devices with QID 317407 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.


Leave a Reply

Your email address will not be published. Required fields are marked *