Cisco TelePresence Video Communication Server Expressway Arbitrary File Injection Vulnerability

A vulnerability in the command-line interface (CLI) of the Cisco TelePresence Video Communication Server (VCS) Expressway could allow an authenticated, local attacker to inject arbitrary arguments to a script on an affected system.

The vulnerability is due to insufficient input validation of content on a local file. An attacker could exploit this vulnerability by writing arbitrary code to the affected file. An exploit could allow the attacker to write options to a file that has root privileges.

Cisco has confirmed the vulnerability; however, software updates are not available.

To exploit this vulnerability, an attacker must authenticate and have local access to the targeted device. These access requirements may reduce the likelihood of a successful exploit.

Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.