Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Cisco patches more critical security bugs — here's how you can stay protected

A computer being guarded by cybersecurity.

Cisco has released a patch for multiple vulnerabilities found in the Expressway Series collaboration gateways. 

Given that two of them are rated as “critical”, and would allow threat actors to execute arbitrary code remotely, patching the flaws without delay is recommended.

As per the advisory published together with the patch, Cisco addressed CVE-2024-20252, and CVE-2024-20254, which could be abused by tricking a victim into clicking a custom-tailored link. Should the victim also happen to be an administrator, this would grant the attackers the ability to add new user accounts, run arbitrary code, elevate privileges, and more. The attack is described as a “cross-site request forgery (CSRF)”.

No PoC or evidence of exploits

"An attacker could exploit these vulnerabilities by persuading a user of the API to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user," Cisco said in its advisory. 

"If the affected user has administrative privileges, these actions could include modifying the system configuration and creating new privileged accounts."

Besides the two above mentioned flaws, Cisco also fixed CVE-2024-20255, which could have been used by the attackers to change system configuration and run denial of service attacks. This flaw, together with CVE-2024-20254, can only be abused on Expressway Series instances with default configurations, Cisco further explained, while for the first one, the victim needs to have the cluster database (CDB) API feature toggled on.

The company also stressed that the patches are for Expressway Series, and not TelePresence Video Communication Server (VCS) gateway which, since it reached end-of-life last year, will not be getting a patch at all. 

The good news is that Cisco found no evidence of hackers already abusing these flaws in their campaigns. There are no proof-of-concepts (PoC) out there, either.

Via BleepingComputer 

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.