Cisco has disclosed three API vulnerabilities in its Cisco Expressway Series of unified communications gateways, which expose affected devices to an attacker performing “arbitrary actions”.
Cisco’s advisory states that the cross-site request forgery (CSRF) bugs affect Cisco Expressway Control and Cisco Expressway Edge devices.
The three vulnerabilities in Cisco’s advisory, CVE-2024-20252, CVE-2024-20254, and CVE-2024-20255 are all CSRF bugs in the devices’ web management interface.
All three vulnerabilities are exploited by persuading an API user to follow a crafted link, the advisory said.
A successful exploit lets the attacker “perform arbitrary actions” with the privilege of the affected user, all the way up to admin privileges.
CVE-2024-20252 and CVE-2024-20254 (both have a CVSS score of 9.6) allow a successful attacker to modify the system configuration and create new privileged accounts.
The lower-rated CVE-2024-20255 (CVSS score 8.2) also allows an attacker to execute some system commands, but only exposes the victim to a denial-of-service attack.
The vulnerabilities affect Cisco Expressway Series older than 14.0 (which needs an upgrade to a later, fixed version), 14.0 (fixed in 14.3.4), and 15.0 (fixed in 15.0.0).
The bugs also affect the end-of-life Cisco TelePresence video communication server, which will not receive a patch.