Cisco Expressway
Recent Cisco Expressway Security Advisories
| Advisory | Title | Published |
|---|---|---|
| 2024-02-08 | Cisco Expressway Series Cross-Site Request Forgery Vulnerabilities | February 8, 2024 |
| 2023-08-16 | Cisco Expressway Series and Cisco TelePresence Video Communication Server Command Injection Vulnerability | August 16, 2023 |
| 2023-06-07 | Cisco Expressway Series and Cisco TelePresence Video Communication Server Privilege Escalation Vulnerabilities | June 7, 2023 |
| 2022-10-05 | Cisco Expressway Series and Cisco TelePresence Video Communication Server Vulnerabilities | October 5, 2022 |
| 2022-07-06 | Cisco Expressway Series and Cisco TelePresence Video Communication Server Vulnerabilities | July 6, 2022 |
| 2022-05-18 | Cisco Expressway Series and Cisco TelePresence Video Communication Server Vulnerabilities | May 18, 2022 |
| 2022-03-02 | Cisco Expressway Series and Cisco TelePresence Video Communication Server Vulnerabilities | March 2, 2022 |
| 2021-08-18 | Cisco Expressway Series and TelePresence Video Communication Server Image Verification Vulnerability | August 18, 2021 |
| 2021-08-18 | Cisco Expressway Series and TelePresence Video Communication Server Remote Code Execution Vulnerability | August 18, 2021 |
By the Year
In 2024 there have been 3 vulnerabilities in Cisco Expressway with an average score of 8.2 out of ten. Last year Expressway had 1 security vulnerability published. That is, 2 more vulnerabilities have already been reported in 2024 as compared to last year. However, the average CVE base score of the vulnerabilities in 2024 is greater by 0.73.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2024 | 3 | 8.23 |
| 2023 | 1 | 7.50 |
| 2022 | 4 | 6.28 |
| 2021 | 2 | 7.20 |
| 2020 | 2 | 7.00 |
| 2019 | 0 | 0.00 |
| 2018 | 1 | 7.50 |
It may take a day or so for new Expressway vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Cisco Expressway Security Vulnerabilities
A vulnerability in the SOAP API of Cisco Expressway Series and Cisco TelePresence Video Communication Server could
CVE-2024-20255
7.1 - High
- February 07, 2024
A vulnerability in the SOAP API of Cisco Expressway Series and Cisco TelePresence Video Communication Server could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. This vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected system. An attacker could exploit this vulnerability by persuading a user of the REST API to follow a crafted link. A successful exploit could allow the attacker to cause the affected system to reload.
Session Riding
Multiple vulnerabilities in Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an unauthenticated, remote attacker to conduct cross-site request forgery (CSRF) attacks
CVE-2024-20254
8.8 - High
- February 07, 2024
Multiple vulnerabilities in Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an unauthenticated, remote attacker to conduct cross-site request forgery (CSRF) attacks that perform arbitrary actions on an affected device. Note: "Cisco Expressway Series" refers to Cisco Expressway Control (Expressway-C) devices and Cisco Expressway Edge (Expressway-E) devices. For more information about these vulnerabilities, see the Details ["#details"] section of this advisory.
Session Riding
Multiple vulnerabilities in Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an unauthenticated, remote attacker to conduct cross-site request forgery (CSRF) attacks
CVE-2024-20252
8.8 - High
- February 07, 2024
Multiple vulnerabilities in Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an unauthenticated, remote attacker to conduct cross-site request forgery (CSRF) attacks that perform arbitrary actions on an affected device. Note: "Cisco Expressway Series" refers to Cisco Expressway Control (Expressway-C) devices and Cisco Expressway Edge (Expressway-E) devices. For more information about these vulnerabilities, see the Details ["#details"] section of this advisory.
Session Riding
The HTTP/2 protocol
CVE-2023-44487
7.5 - High
- October 10, 2023
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Resource Exhaustion
Multiple vulnerabilities in the API and in the web-based management interface of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could
CVE-2022-20812
6.5 - Medium
- July 06, 2022
Multiple vulnerabilities in the API and in the web-based management interface of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow a remote attacker to overwrite arbitrary files or conduct null byte poisoning attacks on an affected device. Note: Cisco Expressway Series refers to the Expressway Control (Expressway-C) device and the Expressway Edge (Expressway-E) device. For more information about these vulnerabilities, see the Details section of this advisory.
Directory traversal
Multiple vulnerabilities in the API and in the web-based management interface of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could
CVE-2022-20813
5.9 - Medium
- July 06, 2022
Multiple vulnerabilities in the API and in the web-based management interface of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow a remote attacker to overwrite arbitrary files or conduct null byte poisoning attacks on an affected device. Note: Cisco Expressway Series refers to the Expressway Control (Expressway-C) device and the Expressway Edge (Expressway-E) device. For more information about these vulnerabilities, see the Details section of this advisory.
Improper Certificate Validation
A CWE-306: Missing Authentication for Critical Function vulnerability exists
CVE-2022-22809
5.3 - Medium
- February 09, 2022
A CWE-306: Missing Authentication for Critical Function vulnerability exists that could allow modifications of the touch configurations in an unauthorized manner when an attacker attempts to modify the touch configurations. Affected Product: spaceLYnk (V2.6.2 and prior), Wiser for KNX (formerly homeLYnk) (V2.6.2 and prior), fellerLYnk (V2.6.2 and prior)
Missing Authentication for Critical Function
A CWE-1021 Improper Restriction of Rendered UI Layers or Frames vulnerability exists
CVE-2022-22807
7.4 - High
- February 09, 2022
A CWE-1021 Improper Restriction of Rendered UI Layers or Frames vulnerability exists that could cause unintended modifications of the product settings or user accounts when deceiving the user to use the web interface rendered within iframes. Affected Product: EcoStruxure EV Charging Expert (formerly known as EVlink Load Management System): (HMIBSCEA53D1EDB, HMIBSCEA53D1EDS, HMIBSCEA53D1EDM, HMIBSCEA53D1EDL, HMIBSCEA53D1ESS, HMIBSCEA53D1ESM, HMIBSCEA53D1EML) (All Versions prior to SP8 (Version 01) V4.0.0.13)
Clickjacking
A vulnerability in the web-based management interface of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could
CVE-2021-34716
7.2 - High
- August 18, 2021
A vulnerability in the web-based management interface of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an authenticated, remote attacker to execute arbitrary code on the underlying operating system as the root user. This vulnerability is due to incorrect handling of certain crafted software images that are uploaded to the affected device. An attacker could exploit this vulnerability by authenticating to the system as an administrative user and then uploading specific crafted software images to the affected device. A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system as the root user.
Improper Handling of Exceptional Conditions
A vulnerability in the image verification function of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could
CVE-2021-34715
7.2 - High
- August 18, 2021
A vulnerability in the image verification function of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an authenticated, remote attacker to execute code with internal user privileges on the underlying operating system. The vulnerability is due to insufficient validation of the content of upgrade packages. An attacker could exploit this vulnerability by uploading a malicious archive to the Upgrade page of the administrative web interface. A successful exploit could allow the attacker to execute code with user-level privileges (the _nobody account) on the underlying operating system.
Improper Verification of Cryptographic Signature
A vulnerability in the Traversal Using Relays around NAT (TURN) server component of Cisco Expressway software could
CVE-2020-3482
6.5 - Medium
- November 18, 2020
A vulnerability in the Traversal Using Relays around NAT (TURN) server component of Cisco Expressway software could allow an unauthenticated, remote attacker to bypass security controls and send network traffic to restricted destinations. The vulnerability is due to improper validation of specific connection information by the TURN server within the affected software. An attacker could exploit this issue by sending specially crafted network traffic to the affected software. A successful exploit could allow the attacker to send traffic through the affected software to destinations beyond the application, possibly allowing the attacker to gain unauthorized network access.
Improper Privilege Management
A vulnerability in the Session Initiation Protocol (SIP) of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could
CVE-2020-3596
7.5 - High
- October 08, 2020
A vulnerability in the Session Initiation Protocol (SIP) of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to incorrect handling of incoming SIP traffic. An attacker could exploit this vulnerability by sending a series of SIP packets to an affected device. A successful exploit could allow the attacker to exhaust memory on an affected device, causing it to crash and leading to a DoS condition.
Always-Incorrect Control Flow Implementation
Linux kernel versions 4.9+ can be forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet
CVE-2018-5390
7.5 - High
- August 06, 2018
Linux kernel versions 4.9+ can be forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet which can lead to a denial of service.
Resource Exhaustion
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Red Hat Enterprise Linux Workstation or by Cisco? Click the Watch button to subscribe.
