Cisco has released patches for a new round of critical security vulnerabilities that affect the Expressway Series and Cisco TelePresence Video Communication Server line of products. These vulnerabilities would allow an attacker to gain elevated privileges on the device and execute arbitrary code.
The two vulnerabilities are being tracked as CVE-2022-20754 and CVE-2022-20755 that relate to an arbitrary file write and a command injection vulnerability, respectively. Both of these issues stem from insufficient input validation of user-supplied command arguments which, when abused, would allow an attacker to perform directory traversal attacks, overwrite arbitrary files, or execute malicious code on the operating system as the root user. Both vulnerabilities require the attacker to be authenticated on the device and have read and write access to the application to work.
Cisco has stated that it has found no evidence of malicious exploitation of either of these vulnerabilities in the wild. Both were either found during internal security testing or as part of troubleshooting a support case.