Security News > 2022 > March > Critical Patches Issued for Cisco Expressway Series, TelePresence VCS Products
Cisco this week shipped patches to address a new round of critical security vulnerabilities affecting Expressway Series and Cisco TelePresence Video Communication Server that could be exploited by an attacker to gain elevated privileges and execute arbitrary code.
"These vulnerabilities were found during internal security testing by Jason Crowder of the Cisco Advanced Security Initiatives Group," the company noted in its advisory published Wednesday.
CVE-2022-20665 - A command injection vulnerability in Cisco StarOS that could allow an allow an attacker with administrative credentials to execute arbitrary code with root privileges.
CVE-2022-20756 - A denial-of-service vulnerability affecting the RADIUS feature of Cisco Identity Services Engine.
CVE-2022-20762 - A privilege escalation flaw in the Common Execution Environment ConfD CLI of Cisco Ultra Cloud Core - Subscriber Microservices Infrastructure software that could permit an authenticated, local attacker to escalate to root privileges.
Cisco also noted that it found no evidence of malicious exploitation of the vulnerabilities, adding they were either found during internal security testing or during the resolution of a Cisco Technical Assistance Center support case.
News URL
https://thehackernews.com/2022/03/critical-patches-issued-for-cisco.html
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-04-06 | CVE-2022-20762 | Unspecified vulnerability in Cisco Ultra Cloud Core - Subscriber Microservices Infrastructure 2020.02.2.0/2020.02.7.0 A vulnerability in the Common Execution Environment (CEE) ConfD CLI of Cisco Ultra Cloud Core - Subscriber Microservices Infrastructure (SMI) software could allow an authenticated, local attacker to escalate privileges on an affected device. | 7.8 |
2022-04-06 | CVE-2022-20756 | Unspecified vulnerability in Cisco Identity Services Engine A vulnerability in the RADIUS feature of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to cause the affected system to stop processing RADIUS packets. | 7.5 |
2022-04-06 | CVE-2022-20665 | Command Injection vulnerability in Cisco Staros A vulnerability in the CLI of Cisco StarOS could allow an authenticated, local attacker to elevate privileges on an affected device. | 6.7 |