Cisco has patched two critical bugs that could allow attackers to write files and run arbitrary code on its video conferencing and collaboration products.
Each bug affects the company's Cisco Expressway series of collaboration servers and its TelePresence Video Communication Server (VCS).
The first vulnerability, CVE-2022-20754, allows a remote attacker to write files to the system. It lies in the products' cluster database API, which doesn't properly validate user input. This enables attackers to authenticate as an administrative user and then submit malicious input via a directory traversal attack. They could then write their own files with root privileges, including overwriting existing operating system files.
The second flaw, CVE-2022-20755, allows an attacker to execute arbitrary code by exploiting the products' web management interface. An attacker could log in as an admin and then craft malicious input that would let them run their own code as root.
These vulnerabilities, each of which has a 9.0 CVSS score, do not depend on each other, Cisco said in its advisory. with customers being told to install both patches to protect their systems.
Cisco Expressway is a series of devices supporting collaboration with users outside of a company's firewall. The system, which operates without the need for a VPN client, supports video, voice, and instant messaging. Users can also see each others' presence information.
RELATED RESOURCE
The TelePresence VCS is a server for managing video conferencing sessions. It works as an appliance on a customer's premises or in the cloud, and supports communication between different video conferencing platforms.
TelePresence VCS has not been sold since December 2020. Cisco will stop issuing software maintenance patches for this product on December 29 this year and will stop providing support entirely at the end of 2023.
-
OpenAI says future models could have a ‘high’ security riskNews The ChatGPT maker wants to keep defenders ahead of attackers when it comes to AI security tools
-
Why Dell PowerEdge is the right fit for any data center needAs demand rises for RAG, HPC, and analytics, Dell PowerEdge servers provide the broadest, most powerful options for the enterprise
-
Researchers claim Salt Typhoon masterminds learned their trade at Cisco Network AcademyNews The Salt Typhoon hacker group has targeted telecoms operators and US National Guard networks in recent years
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
IBM AIX users urged to patch immediately as researchers sound alarm on critical flawsNews Network administrators should patch the four IBM AIX flaws as soon as possible
-
Critical Dell Storage Manager flaws could let hackers access sensitive data – patch nowNews A trio of flaws in Dell Storage Manager has prompted a customer alert
-
Cisco ASA customers urged to take immediate action as NCSC, CISA issue critical vulnerability warningsNews Cisco customers are urged to upgrade and secure systems immediately
-
Flaw in Lenovo’s customer service AI chatbot could let hackers run malicious code, breach networksNews Hackers abusing the Lenovo flaw could inject malicious code with just a single prompt
-
Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?News The cybersecurity agency will work with external researchers to uncover potential security holes in hardware and software
-
Cisco eyes network security gains for agentic AINews New network security updates aim to secure AI agents across enterprises
