IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Cisco patches critical bugs in collaboration products

Attackers could exploit the flaw to run their own code on Cisco's video conferencing servers

A upward angled photo showing the Cisco logo suspended from the ceiling of a dark conference room

Cisco has patched two critical bugs that could allow attackers to write files and run arbitrary code on its video conferencing and collaboration products.

Each bug affects the company's Cisco Expressway series of collaboration servers and its TelePresence Video Communication Server (VCS).

The first vulnerability, CVE-2022-20754, allows a remote attacker to write files to the system. It lies in the products' cluster database API, which doesn't properly validate user input. This enables attackers to authenticate as an administrative user and then submit malicious input via a directory traversal attack. They could then write their own files with root privileges, including overwriting existing operating system files.

The second flaw, CVE-2022-20755, allows an attacker to execute arbitrary code by exploiting the products' web management interface. An attacker could log in as an admin and then craft malicious input that would let them run their own code as root.

These vulnerabilities, each of which has a 9.0 CVSS score, do not depend on each other, Cisco said in its advisory. with customers being told to install both patches to protect their systems.

Cisco Expressway is a series of devices supporting collaboration with users outside of a company's firewall. The system, which operates without the need for a VPN client, supports video, voice, and instant messaging. Users can also see each others' presence information.

Related Resource

Hybrid cloud for video surveillance

What it is and why you'll want one

Wasabi_Hybrid_Cloud_Video_Surveillance_WP_coverFree download

The TelePresence VCS is a server for managing video conferencing sessions. It works as an appliance on a customer's premises or in the cloud, and supports communication between different video conferencing platforms.

TelePresence VCS has not been sold since December 2020. Cisco will stop issuing software maintenance patches for this product on December 29 this year and will stop providing support entirely at the end of 2023.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Cisco patches bug that could break its email security service with a single message
cyber security

Cisco patches bug that could break its email security service with a single message

17 Feb 2022
Cisco launches suite of products aimed at improving enterprise campus networks
Network & Internet

Cisco launches suite of products aimed at improving enterprise campus networks

3 Feb 2022
The IT Pro Podcast: Can 5G close the digital divide?
5G

The IT Pro Podcast: Can 5G close the digital divide?

6 Aug 2021
Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security
Careers & training

(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security

17 May 2022
Preparing for the 3G sunset
Network & Internet

Preparing for the 3G sunset

18 May 2022