A vulnerability in the administrator web interface of the Cisco TelePresence Video Communication Server (VCS) Expressway could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of a targeted device.
The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by authenticating to the affected device and submitting crafted HTTP requests. A successful exploit could allow the attacker to execute operating system commands and escalate privileges to increase the level of access to the targeted system.
Cisco has confirmed the vulnerability and software updates are available.
An authenticated, remote attacker could utilize this vulnerability by sending crafted HTTP requests to the targeted device. Devices utilizing default configuration settings are vulnerable to this exploit.
To exploit this vulnerability, an attacker requires authenticated access to the targeted system. Authenticated access may require the attacker to access trusted, internal networks. These requirements could limit the likelihood of a successful exploit.
Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.