Cisco Expressway-C and TelePresence VCS Vulnerability: Unauthorized Access to Sensitive Data possible via SSL Certificate Validation Flaw
CVE-2022-20814

7.4HIGH

Key Information:

Vendor: Cisco
Status: Cisco Telepresence Video Communication Server (vcs) Expressway
Vendor: CVE Published:; 15 November 2024

Summary

A vulnerability exists in the certificate validation process of Cisco Expressway-C and Cisco TelePresence VCS, which could be exploited by an unauthenticated remote attacker. This flaw arises from inadequate validation of the SSL server certificate during connections to Cisco Unified Communications Manager devices. An attacker may leverage a man-in-the-middle technique to intercept communication between devices, potentially impersonating the endpoint with a self-signed certificate. Successful exploitation may enable access to sensitive data or allow for the manipulation of transmitted information. Cisco has released updates addressing this vulnerability, with no available workarounds.

Affected Version(s)

Cisco TelePresence Video Communication Server (VCS) Expressway X8.11.2

Cisco TelePresence Video Communication Server (VCS) Expressway X8.6

Cisco TelePresence Video Communication Server (VCS) Expressway X8.11.3

References

https://sec.cloudapps.cisco.com/security/center/content/C...

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 15, 2024
Vulnerability Reserved
Nov 2, 2021