Cisco this week shipped patches to tackle a new round of critical security vulnerabilities impacting Expressway Sequence and Cisco TelePresence Online video Communication Server (VCS) that could be exploited by an attacker to gain elevated privileges and execute arbitrary code.
The two flaws – tracked as CVE-2022-20754 and CVE-2022-20755 (CVSS scores: 9.) – relate to an arbitrary file write and a command injection flaw in the API and web-based administration interfaces of the two merchandise that could have serious impacts on impacted systems.
The organization claimed both equally the issues stem from inadequate input validation of consumer-supplied command arguments, a weak point that could be weaponized by an authenticated, distant attacker to have out directory traversal attacks, overwrite arbitrary files, and run destructive code on the underlying working method as the root consumer.
“These vulnerabilities ended up identified all through inner security tests by Jason Crowder of the Cisco Sophisticated Security Initiatives Group (ASIG),” the company mentioned in its advisory released Wednesday.
Also tackled by Cisco are 3 other flaws in StarOS, Cisco Id Services Motor RADIUS Support, and Cisco Extremely Cloud Main – Subscriber Microservices Infrastructure software –
- CVE-2022-20665 (CVSS rating: 6.) – A command injection vulnerability in Cisco StarOS that could make it possible for an enable an attacker with administrative credentials to execute arbitrary code with root privileges
- CVE-2022-20756 (CVSS rating: 8.6) – A denial-of-company (DoS) vulnerability affecting the RADIUS element of Cisco Identity Products and services Motor (ISE)
- CVE-2022-20762 (CVSS score: 7.8) – A privilege escalation flaw in the Frequent Execution Surroundings (CEE) ConfD CLI of Cisco Ultra Cloud Core – Subscriber Microservices Infrastructure (SMI) application that could allow an authenticated, area attacker to escalate to root privileges
Cisco also famous that it uncovered no proof of malicious exploitation of the vulnerabilities, introducing they were being possibly found in the course of inner security screening or all through the resolution of a Cisco Technological Support Centre (TAC) assist circumstance.
But yet, prospects are urged to update to the most recent versions as quickly as probable to mitigate any potential in-the-wild attacks.
Observed this post attention-grabbing? Follow THN on Facebook, Twitter and LinkedIn to go through more distinctive articles we put up.
Some parts of this posting are sourced from: