Cisco has released a security patch addressing several vulnerabilities affecting its Expressway Series collaboration gateways, with two rated as critical severity due to their susceptibility to cross-site request forgery (CSRF) attacks. These CSRF vulnerabilities can be exploited by attackers to trick authenticated users into performing unwanted actions, potentially leading to unauthorized code execution or privilege escalation. Cisco warns that unauthenticated attackers can remotely target vulnerable Expressway gateways using the two critical CSRF vulnerabilities patched in this update.
Furthermore, Cisco identifies a third CSRF security bug that could alter vulnerable systems’ configurations and trigger denial of service conditions, adding to the severity of the threats addressed by the patch. The company advises users to migrate to a fixed release for devices running versions earlier than 14.0 to mitigate the risk of exploitation. However, Cisco states it will not release security updates for the Cisco TelePresence Video Communication Server (VCS) gateway, which reached its end-of-support date on December 31, 2023.
Despite these vulnerabilities, Cisco’s Product Security Incident Response Team (PSIRT) has not found evidence of public proof-of-concept exploits or exploitation attempts targeting them. This proactive approach to security patching reflects Cisco’s ongoing commitment to mitigating vulnerabilities and protecting its users from potential cyber threats. Additionally, recent warnings from Cisco about critical remote code execution flaws in other products highlight the importance of promptly addressing security vulnerabilities to maintain the integrity and security of network infrastructure.