5.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:N/I:P/A:P
0.001 Low
EPSS
Percentile
42.2%
A vulnerability in the Password Change functionality in the Administrative Web Interface of the Cisco TelePresence Video Communication Server (VCS) Expressway could allow an authenticated, remote attacker to make unauthorized changes to user passwords.
The vulnerability is due to insufficient enforcement in the authorization process. An attacker could exploit this vulnerability by sending a specially crafted packet to the target device. An exploit could allow the attacker to change the password of active users to conduct further attacks.
Cisco has confirmed the vulnerability and software updates are available.
An authenticated, remote attacker could utilize this vulnerability by sending a specially crafted packet to the targeted device.
To exploit this vulnerability, an attacker requires authenticated access to the targeted system. Authenticated access may require the attacker to access trusted, internal networks. These requirements could limit the likelihood of a successful exploit.
Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.