Cisco has released a Critical severity security advisory for Cisco Expressway Series and Cisco TelePresence Video Communication Server vulnerabilities.
An attacker could remotely exploit these vulnerabilities to take control of an impacted device.
“Multiple vulnerabilities in the API and in the web-based management interface of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow a remote attacker to overwrite arbitrary files or conduct null byte poisoning attacks on an affected device,” Cisco wrote in the advisory.
Two vulnerabilities were addressed in the advisory:
- CVE-2022-20812: Cisco Expressway Series and Cisco TelePresence VCS Arbitrary File Overwrite Vulnerability (CVSS 9.0).
- CVE-2022-20813: Cisco Expressway Series and Cisco TelePresence VCS Null Byte Poisoning Vulnerability (CVSS 7.4).
Regarding CVE-2022-20812, Cisco warned that “an authenticated, remote attacker with Administrator read-write privileges on the application to conduct absolute path traversal attacks on an affected device and overwrite files on the underlying operating system as a root user.”
Moreover, CVE-2022-20813 is caused by improper certificate validation.
“An attacker could exploit this vulnerability by using a man-in-the-middle technique to intercept the traffic between devices, and then using a crafted certificate to impersonate the endpoint,” Cisco added.
Cisco has released software updates for each of the vulnerabilities.
- Cisco issues security updates for Spring Framework, Firepower and IOS XR software
- Cisco issues Critical security updates for Spring Framework vulnerability
- Cisco patches High risk Email Security Appliance DNS Verification DoS vulnerability
- Cisco releases Critical security update for multiple vulnerabilities in Small Business RV Routers