Last Updated on 05/03/2022 by Nidhi Khandelwal
Cisco released updates this week to address a new set of significant security flaws in the Expressway Series and Cisco TelePresence Video Communication Server (VCS) that might allow a hacker to obtain elevated access and run arbitrary code.
The two weaknesses – CVE-2022-20754 and CVE-2022-20755 (CVSS scores: 9.0) – are related to an arbitrary file write and a command injection flaw in the two products’ API and web-based administration interfaces, respectively, and might have catastrophic consequences for vulnerable systems.
Both flaws, according to the company, stem from a lack of input validation of user-supplied command arguments, a flaw that could be exploited by a remote attacker to carry out directory traversal attacks, overwrite arbitrary files, and run malicious code as the root user on the underlying operating system.
Cisco further stated that the vulnerabilities were discovered during internal security testing or during the resolution of a Cisco Technical Assistance Center (TAC) support issue, and that no evidence of malicious exploitation of the flaws was discovered.
Customers are encouraged to update to the most recent versions as soon as possible to avoid any potential in-the-wild assaults.