Cisco Expressway/VCS RCE via command injection in web mgmt
CVE-2023-20209 Published on August 16, 2023
A vulnerability in the web-based management interface of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an authenticated, remote attacker with read-write privileges on the application to perform a command injection attack that could result in remote code execution on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface of an affected device. A successful exploit could allow the attacker to establish a remote shell with root privileges.
Vulnerability Analysis
CVE-2023-20209 can be exploited with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2023-20209. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.
Weakness Type
What is a Code Injection Vulnerability?
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CVE-2023-20209 has been classified to as a Code Injection vulnerability or weakness.
Products Associated with CVE-2023-20209
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2023-20209 are published in Cisco Telepresence Video Communication Server:
Affected Versions
Cisco TelePresence Video Communication Server (VCS) Expressway:- Version X8.5.1 is affected.
- Version X8.5.3 is affected.
- Version X8.5 is affected.
- Version X8.6.1 is affected.
- Version X8.6 is affected.
- Version X8.1.1 is affected.
- Version X8.1.2 is affected.
- Version X8.1 is affected.
- Version X8.2.1 is affected.
- Version X8.2.2 is affected.
- Version X8.2 is affected.
- Version X8.7.1 is affected.
- Version X8.7.2 is affected.
- Version X8.7.3 is affected.
- Version X8.7 is affected.
- Version X8.8.1 is affected.
- Version X8.8.2 is affected.
- Version X8.8.3 is affected.
- Version X8.8 is affected.
- Version X8.9.1 is affected.
- Version X8.9.2 is affected.
- Version X8.9 is affected.
- Version X8.10.0 is affected.
- Version X8.10.1 is affected.
- Version X8.10.2 is affected.
- Version X8.10.3 is affected.
- Version X8.10.4 is affected.
- Version X12.5.8 is affected.
- Version X12.5.9 is affected.
- Version X12.5.0 is affected.
- Version X12.5.2 is affected.
- Version X12.5.7 is affected.
- Version X12.5.3 is affected.
- Version X12.5.4 is affected.
- Version X12.5.5 is affected.
- Version X12.5.1 is affected.
- Version X12.5.6 is affected.
- Version X12.6.0 is affected.
- Version X12.6.1 is affected.
- Version X12.6.2 is affected.
- Version X12.6.3 is affected.
- Version X12.6.4 is affected.
- Version X12.7.0 is affected.
- Version X12.7.1 is affected.
- Version X8.11.1 is affected.
- Version X8.11.2 is affected.
- Version X8.11.4 is affected.
- Version X8.11.3 is affected.
- Version X8.11.0 is affected.
- Version X14.0.1 is affected.
- Version X14.0.3 is affected.
- Version X14.0.2 is affected.
- Version X14.0.4 is affected.
- Version X14.0.5 is affected.
- Version X14.0.6 is affected.
- Version X14.0.7 is affected.
- Version X14.0.8 is affected.
- Version X14.0.9 is affected.
- Version X14.0.10 is affected.
- Version X14.0.11 is affected.
- Version X14.2.1 is affected.
- Version X14.2.2 is affected.
- Version X14.2.5 is affected.
- Version X14.2.6 is affected.
- Version X14.2.0 is affected.
- Version X14.2.7 is affected.
- Version X14.3.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.