Cisco has released patches for a new round of critical security vulnerabilities that affect the Expressway Series and Cisco TelePresence Video Communication Server line of products. These vulnerabilities would allow an attacker to gain elevated privileges on the device and execute arbitrary code.
The two vulnerabilities are being tracked as CVE-2022-20754 and CVE-2022-20755 that relate to an arbitrary file write and a command injection vulnerability, respectively. Both of these issues stem from insufficient input validation of user-supplied command arguments which, when abused, would allow an attacker to perform directory traversal attacks, overwrite arbitrary files, or execute malicious code on the operating system as the root user. Both vulnerabilities require the attacker to be authenticated on the device and have read and write access to the application to work.
Cisco has stated that it has found no evidence of malicious exploitation of either of these vulnerabilities in the wild. Both were either found during internal security testing or as part of troubleshooting a support case.
It is highly recommended to upgrade to a version of software for the Cisco Expressway Series and Cisco TelePresence VCS products that remediates the vulnerabilities as soon as possible. The vulnerabilities were fixed in release version 14.0.5, so it is recommended to upgrade to at least that version to be secure. Maintaining a regular patching and update cycle is also recommended to help prevent older vulnerabilities from being exploited. While Cisco has not seen any exploitation of this in the wild, now that the vulnerability is widely known, there is a high likelihood that it will be weaponized shortly. By maintaining a proper patching and update cycle for all devices, an organization can help prevent the exploitation of older vulnerabilities or vulnerabilities that are released and start being exploited shortly after.