CISCO Fixes Critical Flaws in VCS
Share this:
Cisco announced security patches for a couple of critical vulnerabilities, tracked as CVE-2022-20754 and CVE-2022-20755 with a CVSS score of 9.0, in its Expressway Series and TelePresence Video Communication Server (VCS) unified communications products.
Multiple vulnerabilities in the API and web-based management interfaces of Cisco Expressway Series and Cisco TelePresence Video Communication Server could allow an authenticated, remote attacker with read/write privileges to application to write files or execute arbitrary code on the underlying operating system of an affected device as the root user.
Cisco Advisory
A remote, authenticated attacker with read/write privileges to the vulnerable application can exploit the vulnerabilities to write files or execute arbitrary code on the underlying operating system with root privileges.
The CVE-2022-20754 issue is an arbitrary file write vulnerability in Cisco Expressway Series and Cisco TelePresence VCS, it could be exploited to conduct directory traversal attacks and overwrite files on the underlying operating system. This flaw was caused by insufficient input validation of user-supplied command arguments.
The CVE-2022-20755 flaw is a command injection vulnerability in Cisco Expressway Series and Cisco TelePresence VCS, it resides in their web-based management interface and could allow an authenticated, remote attacker with read/write privileges to the application to execute arbitrary code on the underlying operating system of an affected device as the root user.
Both vulnerabilities have been addressed with the release of the 14.0.5 version and the exploits are not used in attacks
