Cisco has released a patch for multiple vulnerabilities found in the Expressway Series collaboration gateways.
Given that two of them are rated as “critical”, and would allow threat actors to execute arbitrary code remotely, patching the flaws without delay is recommended.
As per the advisory published together with the patch, Cisco addressed CVE-2024-20252, and CVE-2024-20254, which could be abused by tricking a victim into clicking a custom-tailored link. Should the victim also happen to be an administrator, this would grant the attackers the ability to add new user accounts, run arbitrary code, elevate privileges, and more. The attack is described as a “cross-site request forgery (CSRF)”.
No PoC or evidence of exploits
“An attacker could exploit these vulnerabilities by persuading a user of the API to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user,” Cisco said in its advisory.
“If the affected user has administrative privileges, these actions could include modifying the system configuration and creating new privileged accounts.”
Besides the two above mentioned flaws, Cisco also fixed CVE-2024-20255, which could have been used by the attackers to change system configuration and run denial of service attacks. This flaw, together with CVE-2024-20254, can only be abused on Expressway Series instances with default configurations, Cisco further explained, while for the first one, the victim needs to have the cluster database (CDB) API feature toggled on.
The company also stressed that the patches are for Expressway Series, and not TelePresence Video Communication Server (VCS) gateway which, since it reached end-of-life last year, will not be getting a patch at all.
The good news is that Cisco found no evidence of hackers already abusing these flaws in their campaigns. There are no proof-of-concepts (PoC) out there, either.
Via BleepingComputer