Cisco reports critical vulnerabilities in its Expressway Series

published: Feb. 8, 2024

Take action: Patching of Cisco Expressway series is prudent, but the first layer of defense is users being careful about phishing links. Just don't forget the patch process because someone will be phished.


Learn More

Cisco has announced the discovery of three critical vulnerabilities within its Cisco Expressway Series unified communications gateways. The vulnerabilities reside in the web management interface of the Cisco Expressway Control and Cisco Expressway Edge devices.

  • CVE-2024-20252 (CVSS score 9.6) and CVE-2024-20254 (CVSS score 9.6) Two vulnerabilities in the API of Cisco Expressway Series devices could allow an unauthenticated, remote attacker to conduct CSRF attacks on an affected system by persuading a user of the API to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user.
  • CVE-2024-20255 (CVSS score 8.2) is a vulnerability in the API of the Cisco Expressway Series could allow an unauthenticated, remote attacker to conduct a CSRF attack on an affected system and cause a denial of service (DoS) condition.

These vulnerabilities affect versions of the software up to 14.0, and version 15.0. Cisco has addressed these vulnerabilities by releasing patches in versions 14.3.4 and 15.0.0. However Cisco TelePresence video communication server, also affected by these issues, will not receive these patches.

Cisco reports critical vulnerabilities in its Expressway Series