Cisco TelePresence Video Communication Server Policy Services Security Bypass Vulnerability

Cisco TelePresence Video Communication Server (VCS) contains a vulnerability that could allow an unauthenticated, remote attacker to bypass security restrictions on a targeted system.

The vulnerability is due to improper processing of certain search rules processed by the affected software. An unauthenticated, remote attacker could exploit this vulnerability to access the policy service. The attacker could use this access to create a conference using Conductor. Successful exploitation could aid an attacker in conducting further attacks.

Cisco has confirmed this vulnerability; however, software updates are not available.

To exploit the vulnerability, an attacker would likely need access to trusted, internal networks. This access requirement may limit the likelihood of a successful attack.

Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.