Cisco this week transported patches to handle a new round of critical security vulnerabilities affecting Expressway Sequence and Cisco TelePresence Movie Conversation Server (VCS) that could be exploited by an attacker to achieve elevated privileges and execute arbitrary code.
The two flaws – tracked as CVE-2022-20754 and CVE-2022-20755 (CVSS scores: 9.) – relate to an arbitrary file compose and a command injection flaw in the API and web-based mostly management interfaces of the two products that could have really serious impacts on affected methods.
The business mentioned both of those the issues stem from insufficient enter validation of person-supplied command arguments, a weakness that could be weaponized by an authenticated, remote attacker to carry out directory traversal assaults, overwrite arbitrary data files, and operate malicious code on the fundamental running procedure as the root consumer.
“These vulnerabilities ended up discovered in the course of internal security tests by Jason Crowder of the Cisco Highly developed Security Initiatives Team (ASIG),” the business observed in its advisory released Wednesday.
Also addressed by Cisco are a few other flaws in StarOS, Cisco Id Services Motor RADIUS Assistance, and Cisco Ultra Cloud Core – Subscriber Microservices Infrastructure program –
- CVE-2022-20665 (CVSS score: 6.) – A command injection vulnerability in Cisco StarOS that could allow an let an attacker with administrative qualifications to execute arbitrary code with root privileges
- CVE-2022-20756 (CVSS score: 8.6) – A denial-of-company (DoS) vulnerability affecting the RADIUS function of Cisco Identification Products and services Motor (ISE)
- CVE-2022-20762 (CVSS score: 7.8) – A privilege escalation flaw in the Widespread Execution Ecosystem (CEE) ConfD CLI of Cisco Extremely Cloud Core – Subscriber Microservices Infrastructure (SMI) program that could allow an authenticated, nearby attacker to escalate to root privileges
Cisco also pointed out that it located no evidence of malicious exploitation of the vulnerabilities, adding they ended up possibly observed for the duration of inner security screening or throughout the resolution of a Cisco Complex Guidance Middle (TAC) help circumstance.
But nevertheless, clients are urged to update to the most recent variations as soon as feasible to mitigate any opportunity in-the-wild assaults.
Found this short article appealing? Observe THN on Fb, Twitter and LinkedIn to read a lot more distinctive information we post.
Some parts of this article are sourced from:
thehackernews.com