Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Cisco Patches Critical Vulnerabilities in Enterprise Communication Devices

Two critical vulnerabilities in Cisco Expressway series devices can be exploited in CSRF attacks without authentication.

Cisco on Wednesday announced patches for two critical-severity vulnerabilities in its Expressway series devices that could be exploited remotely, without authentication, to launch cross-site request forgery (CSRF) attacks.

Impacting the API of Expressway series enterprise communication and collaboration devices and tracked as CVE-2024-20252 and CVE-2024-20254 (CVSS score of 9.6), the two security defects are due to insufficient CSRF protections for the web-based management interface of the vulnerable systems.

“An attacker could exploit these vulnerabilities by persuading a user of the API to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user,” Cisco explains in an advisory.

By targeting an administrator, an attacker could exploit these flaws to modify the system configuration and create new privileged accounts.

Cisco Expressway series releases 14.3.4 and 15.0.0 resolve both issues. Users of releases prior to 14.0 are advised to upgrade to a fixed version. Additional steps are required for a complete fix. 

The software updates also address CVE-2024-20255, a high-severity bug leading to CSRF attacks, which could allow a remote, unauthenticated attacker to modify configuration settings and cause a denial-of-service (DoS) condition.

Advertisement. Scroll to continue reading.

Cisco also warns that it has not released patches for TelePresence Video Communication Server (VCS), which has reached its end-of-support date, recommending that users migrate to a supported product.

On Wednesday, Cisco also announced patches for a high-severity vulnerability in ClamAV that could allow a remote attacker to cause a DoS condition by submitting a crafted file containing OLE2 content.

The flaw, tracked as CVE-2024-20290, was resolved in Secure Endpoint Connector for Windows versions 7.5.17 and 8.2.1, which are available through the Cisco Secure Endpoint portal, and in Secure Endpoint Private Cloud version 3.8.0.

Cisco says it is not aware of any of these vulnerabilities being exploited in malicious attacks. Additional details can be found on the company’s security advisories page.

Related: Cisco Patches Critical Vulnerability in Enterprise Collaboration Products

Related: Cisco Patches Critical Vulnerability in Unity Connection Product

Related: Exploitation of Recent Cisco IOS XE Vulnerabilities Spikes

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.