Vulnslist

find the latest Cisco vulnerabilities

Cisco Expressway Series and Cisco TelePresence Video Communication Server Privilege Escalation Vulnerabilities

cisco-sa-expressway-priv-esc-Ls2B9t7b · Critical · Published · Updated

Multiple vulnerabilities in Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an authenticated attacker with Administrator-level read-only credentials to elevate their privileges to Administrator with read-write credentials on an affected system. Note: "Cisco Expressway Series" refers to Cisco Expressway Control (Expressway-C) devices and Cisco Expressway Edge (Expressway-E) devices. For more information about these vulnerabilities, see the Details section of this advisory. Cisco has released software updates that address these vulnerabilities. There are workarounds that address one of these vulnerabilities. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-expressway-priv-esc-Ls2B9t7b

Cisco advisory ·CSAF JSON

Workarounds

There is a workaround that addresses one of these vulnerabilities.

Workaround for CVE-2023-20192: Disable CLI access for read-only users.

Note: CLI access is disabled by default for read-only administrators.

While this workaround has been deployed and was proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.

CVEsCVE-2023-20105, CVE-2023-20192
Cisco Bug IDsCSCvz54058, CSCwf28030
CVSS ScoreBase 9.6
Base 9.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H/E:X/RL:X/RC:X
Base 8.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H/E:X/RL:X/RC:X
Product Names From Source
Cisco TelePresence Video Communication Server (VCS) Expressway

Related Products

Product CVE Evidence
Cisco TelePresence Video Communication Server (VCS) Expressway CVE-2023-20192 Cisco OpenVuln
Cisco TelePresence Video Communication Server (VCS) Expressway CVE-2023-20105 Cisco OpenVuln
Cisco TelePresence Video Communication Server (VCS) CVE-2023-20192 Cisco OpenVuln
Cisco TelePresence Video Communication Server (VCS) CVE-2023-20105 Cisco OpenVuln
Cisco TelePresence CVE-2023-20192 Cisco OpenVuln
Cisco TelePresence CVE-2023-20105 Cisco OpenVuln
Cisco Expressway CVE-2023-20192 Cisco OpenVuln
Cisco Expressway CVE-2023-20105 Cisco OpenVuln