Cisco on Wednesday announced patches for two critical-severity vulnerabilities in its Expressway series devices that could be exploited remotely, without authentication, to launch cross-site request forgery (CSRF) attacks.
Impacting the API of Expressway series enterprise communication and collaboration devices and tracked as CVE-2024-20252 and CVE-2024-20254 (CVSS score of 9.6), the two security defects are due to insufficient CSRF protections for the web-based management interface of the vulnerable systems.
“An attacker could exploit these vulnerabilities by persuading a user of the API to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user,” Cisco explains in an advisory.
By targeting an administrator, an attacker could exploit these flaws to modify the system configuration and create new privileged accounts.
Cisco Expressway series releases 14.3.4 and 15.0.0 resolve both issues. Users of releases prior to 14.0 are advised to upgrade to a fixed version. Additional steps are required for a complete fix.
The software updates also address CVE-2024-20255, a high-severity bug leading to CSRF attacks, which could allow a remote, unauthenticated attacker to modify configuration settings and cause a denial-of-service (DoS) condition.
Cisco also warns that it has not released patches for TelePresence Video Communication Server (VCS), which has reached its end-of-support date, recommending that users migrate to a supported product.
On Wednesday, Cisco also announced patches for a high-severity vulnerability in ClamAV that could allow a remote attacker to cause a DoS condition by submitting a crafted file containing OLE2 content.
The flaw, tracked as CVE-2024-20290, was resolved in Secure Endpoint Connector for Windows versions 7.5.17 and 8.2.1, which are available through the Cisco Secure Endpoint portal, and in Secure Endpoint Private Cloud version 3.8.0.
Cisco says it is not aware of any of these vulnerabilities being exploited in malicious attacks. Additional details can be found on the company’s security advisories page.