Cisco TelePresence Video Communication Server Command Injection Vulnerability

A vulnerability in the web framework in the Cisco TelePresence Video Communication Server (VCS) could allow an authenticated, remote attacker to inject arbitrary commands that are executed at the nobody
privilege level.

The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by authenticating to the device and submitting crafted input to the affected parameter in a web page. The user must be authenticated in order to access the affected parameter. A successful exploit could allow an attacker to execute commands at the nobody privilege level.

Cisco has confirmed the vulnerability and released updated software.

To exploit this vulnerability, an attacker requires authenticated access to the targeted system. Authenticated access may require the attacker to access trusted, internal networks. These requirements could limit the likelihood of a successful exploit.

Cisco PSIRT indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.