Cisco this week shipped patches to address a new round of critical security vulnerabilities affecting Expressway Series and Cisco TelePresence Video Communication Server (VCS) that could be exploited by an attacker to gain elevated privileges and execute arbitrary code.
The two flaws – tracked as CVE-2022-20754 and CVE-2022-20755 (CVSS scores: 9.0) – relate to an arbitrary file write and a command injection flaw in the API and web-based management interfaces of the two products that could have serious impacts on affected systems.
The company said both the issues stem from insufficient input validation of user-supplied command arguments, a weakness that could be weaponized by an authenticated, remote attacker to carry out directory traversal attacks, overwrite arbitrary files, and run malicious code on the underlying operating system as the root user.
“These vulnerabilities were found during internal security testing by Jason Crowder of the Cisco Advanced Security Initiatives Group (ASIG),” the company noted in its advisory published Wednesday.
Also addressed by Cisco are three other flaws in StarOS, Cisco Identity Services Engine RADIUS Service, and Cisco Ultra Cloud Core – Subscriber Microservices Infrastructure software –
Cisco also noted that it found no evidence of malicious exploitation of the vulnerabilities, adding they were either found during internal security testing or during the resolution of a Cisco Technical Assistance Center (TAC) support case.
But nevertheless, customers are urged to update to the latest versions as soon as possible to mitigate any potential in-the-wild attacks.
Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.
In the world of wellness and alternative medicine, people are constantly seeking natural remedies to improve their health and well-being. One such product that has gained considerable attention...Read more