Command Injection Vulnerability in Cisco Expressway Series and TelePresence VCS
CVE-2023-20209

6.5MEDIUM

Key Information:

Vendor: Cisco
Status: Cisco Telepresence Video Communication Server (vcs) Expressway
Vendor: CVE Published:; 16 August 2023

Badges

👾 Exploit Exists🟡 Public PoC

Summary

A command injection vulnerability exists in the web-based management interface of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS). This issue arises from the insufficient validation of user-supplied input. An authenticated remote attacker with read-write privileges could exploit this vulnerability by sending a specially crafted request, potentially allowing them to execute arbitrary commands on the affected device. A successful attack may enable the attacker to gain remote shell access with elevated privileges.

Affected Version(s)

Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.1

Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.3

Cisco TelePresence Video Communication Server (VCS) Expressway X8.5

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2023-20209
Created by peter5he1by

References

https://sec.cloudapps.cisco.com/security/center/content/C...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Sep 28, 2023
👾
Exploit known to exist
Sep 28, 2023
Vulnerability published
Aug 16, 2023
Vulnerability Reserved
Oct 27, 2022