Cisco TelePresence Video Communication Server Expressway Information Disclosure Vulnerability

A vulnerability in the System Snapshot of Cisco TelePresence Video Communication Server (VCS) Expressway could allow an authenticated, remote attacker to view sensitive data.

The vulnerability is due to insufficient protection of data at rest. An attacker could exploit this vulnerability by downloading the snapshot file and viewing the password hashes in it. An exploit could allow the attacker to crack the password hashes and use the credentials to launch further attacks.

Cisco has confirmed the vulnerability; however, software updates are not available.

To exploit this vulnerability, an attacker requires authenticated access to the targeted system. Authenticated access may require the attacker to access trusted, internal networks. These requirements could limit the likelihood of a successful exploit.

Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.