CVE-2022-20853 & CVE-2022-20814: High Flaws in Cisco Expressway Series and Cisco TelePresence Video Communication

CVE-2022-20853

Cisco on Wednesday informed customers that security updates are available for several of the company’s products, including Cisco Expressway Series and Cisco TelePresence Video Communication Server.

Two vulnerabilities have been classified by the networking giant as a “high.” Tracked as CVE-2022-20814, and CVE-2022-20853, the flaws affect the Cisco Expressway Series Software and Cisco TelePresence Video Communication Server (VCS) Software in the default configuration and it can be exploited by an attacker to perform malicious activities.

CVE-2022-20814 (CVSS score: 7.4) was caused by an improper certificate validation that an affected device receives when it establishes a connection to a Cisco Unified Communications Manager device.

“An attacker could exploit this vulnerability by using a man-in-the-middle technique to intercept the traffic between the devices, and then using a self-signed certificate to impersonate the endpoint. A successful exploit could allow the attacker to view the intercepted traffic in clear text or alter the contents of the traffic,” read the Cisco advisory.

CVE-2022-20853 (CVSS score: 7.4) was caused by improper validation of user-supplied input due to insufficient CSRF protections for the web-based management interface of an affected system. By persuading an authenticated user to visit a malicious Web site, a remote authenticated attacker could send a malformed HTTP request to perform unauthorized actions. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.

Cisco has released free software updates that address the vulnerabilities and says there is no indication that any of the flaws patched have been exploited for malicious purposes.