CISCO declares the availability of patches for a critical vulnerability in Enterprises and Communication solutions

According to the technology company, CISCO, the vulnerability affects Expressway Control (Expressway-C) and Expressway Edge devices, which are meant to enable remote collaboration for both mobile users and teleworkers.

“Multiple vulnerabilities in the API and in the web-based management interface of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow a remote attacker to overwrite arbitrary files or conduct null byte poisoning attacks on an affected device,” Cisco notes in an advisory.

Tracked as CVE-2022-20812 (CVSS score of 9.0), the critical severity vulnerability could allow an authenticated attack that has administered read-write privileges to overwrite files on the underlying operating system remotely, with the privileges of the root user.

The issue exists due to the user-supplied command arguments that are not sufficiently validated, allowing an attacker to submit crafted input to the affected command.

Cisco also resolved a high-severity bug impacting the enterprise communication solutions, which could allow an unauthenticated, remote attacker to access sensitive data.

“This week, Cisco also announced patches for a high-severity vulnerability in Smart Software Manager On-Prem (SSM On-Prem), which could allow a remote, authenticated attacker to cause a denial of service (DoS) condition. Tracked as CVE-2022-20808, the vulnerability was addressed in Cisco SSM On-Prem release 8-202112,” a source as per Security Week.

“This vulnerability is due to incorrect handling of multiple simultaneous device registrations on Cisco SSM On-Prem. An attacker could exploit this vulnerability by sending multiple device registration requests to Cisco SSM On-Prem,” CISCO explains.