Cisco HCS Administrative Web Interface Arbitrary Command Execution Vulnerability

A vulnerability in the administrative web interface of Cisco Hosted Collaboration Solution (HCS) could allow an authenticated, remote attacker to execute arbitrary commands on the affected system and on the devices managed by the affected system.

The vulnerability is due to improper user input validation. An attacker could exploit this vulnerability by crafting input into the affected fields of the web interface on a targeted device. A successful exploit could allow the attacker to execute arbitrary commands on the device or on other devices managed by the device, which could be leveraged to conduct further attacks.

Cisco has confirmed the vulnerability and released software updates.

To exploit this vulnerability, an attacker must authenticate to the targeted device. This access requirement may reduce the likelihood of a successful exploit.

Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.