Critical Vulnerability in Cisco Enterprise Solutions Patched

June 8, 2023

Cisco has announced the release of patches for a critical-severity vulnerability found in its Expressway series and TelePresence Video Communication Server (VCS) enterprise collaboration and video communication solutions. The vulnerability, identified as CVE-2023-20105 with a CVSS score of 9.6, enables an administrator with 'read-only' rights to escalate their privileges to 'read-write'. The problem arises due to improper handling of password change requests, which allows an attacker authenticated as a 'read-only' administrator to send a crafted request to change the password of any user account on the system, including that of a 'read-write' administrator, and then impersonate them.

Cisco Expressway series and TelePresence VCS deployments that have granted CLI access to a read-only administrator are also vulnerable to CVE-2023-20192, a high-severity vulnerability that leads to escalation of privilege. Cisco states that CLI access is disabled by default for read-only users. The vulnerability is a result of an incorrect implementation of user role permissions. Cisco explains in an advisory, "An attacker could exploit this vulnerability by authenticating to the application as a read-only CLI administrator and issuing commands normally reserved for administrators with read-write capabilities." An attacker could use this flaw to execute commands they would not typically have access to, including altering system configuration parameters.

Patches for CVE-2023-20105 are included in Expressway series and TelePresence VCS version 14.2.1, while version 14.3.0 addresses CVE-2023-20192. This week, Cisco also announced the release of patches for high-severity denial-of-service (DoS) vulnerabilities in the Unified Communications Manager IM & Presence service and Firepower 2100 series appliances, as well as a high-severity code execution flaw in AnyConnect Secure Mobility Client and Secure Client software for Windows.

Furthermore, Cisco released fixes for two medium-severity vulnerabilities: a DoS vulnerability in Unified Communications Manager and Unified Communications Manager Session Management Edition, and an escalation of privilege issue in Secure Workload. The company also warned that no patches will be provided for a medium-severity cross-site scripting (XSS) vulnerability in Small Business 200, 300, and 500 series switches, which reached end-of-life (EoL) in or before 2019. Cisco has stated that it is not aware of any of these vulnerabilities being exploited in malicious attacks. More information on the vulnerabilities can be found on Cisco's product security page.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.