Cisco has patched two critical-rated vulnerabilities in its Express and TelePresence products, among seven new security advisories.
According to an advisory, both Expressway and TelePresence VCS are subject to a privilege escalation bug.
One of the bugs, CVE-2023-20105, lets a remote administrator elevate their privilege from read-only to read-write.
The bug is in how the system handles password change requests.
“A successful exploit could allow the attacker to alter the passwords of any user on the system, including an administrative read-write user, and then impersonate that user,” Cisco said.
The other bug, CVE-2023-20192, is in the two systems’ privilege management.
Similarly to the first vulnerability, an attacker can elevate their read-only command line interface privileges from read-only to read-write.
“A successful exploit could allow the attacker to execute commands beyond the sphere of their intended access level, including modifying system configuration parameters,” Cisco said.
There is a workaround for CVE-2023-20192, which is to disable access for administrators with read-only privileges.
The list of advisories also includes three high-rated vulnerabilities in the company’s Adaptive Security Appliance Software and Firepower Threat Defense Software; Unified Communications Manager IM and Presence Service; and the AnyConnect client for Windows and Secure Client for Windows.
The Small Business 200, 300 and 500; Secure Workload; and UCM products had medium-rated vulnerabilities patched today.
