Connect with us

Hi, what are you looking for?



Cisco Patches Critical Vulnerabilities in Enterprise Communication Devices

Two critical vulnerabilities in Cisco Expressway series devices can be exploited in CSRF attacks without authentication.

Cisco on Wednesday announced patches for two critical-severity vulnerabilities in its Expressway series devices that could be exploited remotely, without authentication, to launch cross-site request forgery (CSRF) attacks.

Impacting the API of Expressway series enterprise communication and collaboration devices and tracked as CVE-2024-20252 and CVE-2024-20254 (CVSS score of 9.6), the two security defects are due to insufficient CSRF protections for the web-based management interface of the vulnerable systems.

“An attacker could exploit these vulnerabilities by persuading a user of the API to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user,” Cisco explains in an advisory.

By targeting an administrator, an attacker could exploit these flaws to modify the system configuration and create new privileged accounts.

Cisco Expressway series releases 14.3.4 and 15.0.0 resolve both issues. Users of releases prior to 14.0 are advised to upgrade to a fixed version. Additional steps are required for a complete fix. 

The software updates also address CVE-2024-20255, a high-severity bug leading to CSRF attacks, which could allow a remote, unauthenticated attacker to modify configuration settings and cause a denial-of-service (DoS) condition.

Cisco also warns that it has not released patches for TelePresence Video Communication Server (VCS), which has reached its end-of-support date, recommending that users migrate to a supported product.

On Wednesday, Cisco also announced patches for a high-severity vulnerability in ClamAV that could allow a remote attacker to cause a DoS condition by submitting a crafted file containing OLE2 content.

Advertisement. Scroll to continue reading.

The flaw, tracked as CVE-2024-20290, was resolved in Secure Endpoint Connector for Windows versions 7.5.17 and 8.2.1, which are available through the Cisco Secure Endpoint portal, and in Secure Endpoint Private Cloud version 3.8.0.

Cisco says it is not aware of any of these vulnerabilities being exploited in malicious attacks. Additional details can be found on the company’s security advisories page.

Related: Cisco Patches Critical Vulnerability in Enterprise Collaboration Products

Related: Cisco Patches Critical Vulnerability in Unity Connection Product

Related: Exploitation of Recent Cisco IOS XE Vulnerabilities Spikes

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.