IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Cisco patches critical bugs in collaboration products

Attackers could exploit the flaw to run their own code on Cisco's video conferencing servers

A upward angled photo showing the Cisco logo suspended from the ceiling of a dark conference room

Cisco has patched two critical bugs that could allow attackers to write files and run arbitrary code on its video conferencing and collaboration products.

Each bug affects the company's Cisco Expressway series of collaboration servers and its TelePresence Video Communication Server (VCS).

The first vulnerability, CVE-2022-20754, allows a remote attacker to write files to the system. It lies in the products' cluster database API, which doesn't properly validate user input. This enables attackers to authenticate as an administrative user and then submit malicious input via a directory traversal attack. They could then write their own files with root privileges, including overwriting existing operating system files.

The second flaw, CVE-2022-20755, allows an attacker to execute arbitrary code by exploiting the products' web management interface. An attacker could log in as an admin and then craft malicious input that would let them run their own code as root.

These vulnerabilities, each of which has a 9.0 CVSS score, do not depend on each other, Cisco said in its advisory. with customers being told to install both patches to protect their systems.

Cisco Expressway is a series of devices supporting collaboration with users outside of a company's firewall. The system, which operates without the need for a VPN client, supports video, voice, and instant messaging. Users can also see each others' presence information.

Related Resource

Hybrid cloud for video surveillance

What it is and why you'll want one

Wasabi_Hybrid_Cloud_Video_Surveillance_WP_coverFree download

The TelePresence VCS is a server for managing video conferencing sessions. It works as an appliance on a customer's premises or in the cloud, and supports communication between different video conferencing platforms.

TelePresence VCS has not been sold since December 2020. Cisco will stop issuing software maintenance patches for this product on December 29 this year and will stop providing support entirely at the end of 2023.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Cisco to exit Russia, Belarus in business wind-down
Business operations

Cisco to exit Russia, Belarus in business wind-down

24 Jun 2022
WAN Insights is Cisco’s first foray into predictive network intelligence
Network & Internet

WAN Insights is Cisco’s first foray into predictive network intelligence

16 Jun 2022
Cisco unveils new ‘intelligent’ approach to networking with brace of product launches
Network & Internet

Cisco unveils new ‘intelligent’ approach to networking with brace of product launches

16 Jun 2022
Deepfake attacks expected to be next major threat to businesses
phishing

Deepfake attacks expected to be next major threat to businesses

16 Jun 2022

Most Popular

FCC commissioner urges Apple and Google to remove TikTok from app stores
data protection

FCC commissioner urges Apple and Google to remove TikTok from app stores

29 Jun 2022
Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022
Internet providers look to ease cost of living crisis with cheaper broadband
broadband

Internet providers look to ease cost of living crisis with cheaper broadband

29 Jun 2022