September 26, 2023

Cisco has addressed patches for two critical vulnerabilities that persisted in its products

The first is a critical vulnerability, tracked as CVE-2022-20812 with a CVSS score of 9.0, that existed in the Expressway series and Telepresence VCS

Advertisements

The vulnerability impacts Expressway Control (Expressway-C) and Expressway Edge (Expressway-E) devices, a remote attacker can trigger the flaw to overwrite files on the underlying operating system with root privileges.

The root cause of the vulnerability is the insufficient input validation of user-supplied command arguments. Threat actors can trigger the flaw by authenticating to the system as an administrative read-write user and submitting crafted input to the affected command.

The second bug is a Null Byte poisoning issue that occurs due to improper certificate validation, tracked as CVE-2022-20813 with a CVSS Score 9.0 in Expressway Series and TelePresence VCS.

An attacker can trigger the vulnerability by using a man-in-the-middle technique to intercept the traffic between devices, and then using a crafted certificate to impersonate the endpoint. The attacker can view the intercepted traffic in clear text or manipulate it.

Advertisements

Both issues have been addressed with the release of Expressway series and TelePresence VCS release 14.0.7, but no workarounds that address these vulnerabilities are available.

None of the vulnerabilities are exploited in wild as confirmed by Cisco

Tags:

Leave a Reply

You may have missed

Sony attack – Ransomed.vc claims responsibility

September 26, 2023

Chrome Zeroday – CVE-2023-4863 PoC Exploit Released

September 25, 2023

BlackCat adds Clarion to its Victim list

September 24, 2023

TheCyberThrone Security Week In Review – September 23, 2023

September 24, 2023

MGM Resorts and Ceasars Attacks – Lesson Learnt

September 23, 2023

CISA KEV Update September 2023 – Part II

September 23, 2023
%d bloggers like this: