Summary
CVEs: CVE-2022-20754, CVE-2022-20755
CVSS: 9.0 (both)
Affected Products: Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS)
Cisco released a security advisory regarding two critical vulnerabilities in the web-based management interfaces and API of its Cisco Expressway Series and TelePResence VCS product.
CVE-2022-20754 is an arbitrary file write vulnerability, while CVE-2022-20755 is a command injection vulnerability. Both vulnerabilities allow remote, authenticated attackers with read/write privileges to the application to write files or execute arbitrary code as a root user on the affected device.
Cisco is unaware of any exploitation of these vulnerabilities in the wild.
Analysis
Affected Versions
Affected product versions can be found here.
Potential Impact
Successful exploitation of these vulnerabilities could allow a remote attacker to execute arbitrary code or write files to an affected device's underlying operating system as a root user. This could allow an attacker to read, modify, or delete data on an affected device, as well as exploit a targeted device for use in further attacks.
Recommendations
Cisco has released patches for these vulnerabilities. Currently no workarounds or other mitigating actions are available.
References
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-expressway-filewrite-87Q5YRk?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20Expressway%20Series%20and%20Cisco%20TelePresence%20Video%20Communication%20Server%20Vulnerabilities&vs_k=1#fshttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-expressway-filewrite-87Q5YRk?vs_f=Cisco%2520Security%2520Advisory&vs_cat=Security%2520Intelligence&vs_type=RSS&vs_p=Cisco%2520Expressway%2520Series%2520and%2520Cisco%2520TelePresence%2520Video%2520Communication%2520Server%2520Vulnerabilities&vs_k=1#fs
No comments:
Post a Comment