The company released seven new security advisories, which included fixes for two vulnerabilities rated as critical in its Express and TelePresence products. According to the advisory, both Expressway and TelePresence VCS were found to be susceptible to a privilege escalation bug.
One of the identified bugs, referred to as CVE-2023-20105, allows a remote administrator to elevate their privileges from read-only to read-write. The vulnerability lies in the system's handling of password change requests. Exploiting this bug successfully could enable an attacker to modify the passwords of any user on the system, including administrative read-write users, and potentially impersonate them.
The second vulnerability, named CVE-2023-20192, affects privilege management in both systems. Similar to the first vulnerability, an attacker can elevate their read-only command line interface privileges from read-only to read-write. A successful exploit of this bug could allow the attacker to execute commands beyond their intended access level, potentially modifying system configuration parameters.
Cisco has provided a workaround for CVE-2023-20192, recommending the disabling of access for administrators with read-only privileges. In addition to these critical vulnerabilities, Cisco's recent advisories also address three high-rated vulnerabilities in its Adaptive Security Appliance Software and Firepower Threat Defense Software, Unified Communications Manager IM and Presence Service, and the AnyConnect client for Windows and Secure Client for Windows.
Furthermore, medium-rated vulnerabilities in the Small Business 200, 300, and 500; Secure Workload; and UCM products were patched as well. By promptly addressing these vulnerabilities and offering mitigations, Cisco aims to enhance the security and integrity of its collaboration kit and related software solutions. It is important for Cisco users to implement the provided fixes and follow Cisco's guidance to ensure the protection of their networks and data from potential exploits.
