Cisco TelePresence Video Communication Server Expressway Command Injection Vulnerability

A vulnerability in a local file script in Cisco TelePresence Video Communication Server (VCS) Expressway could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system with elevated privilege.

The vulnerability is due to insufficient protection of a specific local file script. An attacker could exploit this vulnerability by providing invalid parameters to a local file. An exploit could allow the attacker to execute arbitrary code on the underlying operating system with elevated privileges.

Cisco has confirmed the vulnerability and released software updates.

To exploit this vulnerability, an attacker must authenticate and have local access to the targeted device. These access requirements may reduce the likelihood of a successful exploit.

Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.