CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
EPSS
Percentile
5.1%
A vulnerability in the command-line interface (CLI) of the Cisco TelePresence Video Communication Server (VCS) Expressway could allow an authenticated, local attacker to inject arbitrary arguments to a script on an affected system.
The vulnerability is due to insufficient input validation of content on a local file. An attacker could exploit this vulnerability by writing arbitrary code to the affected file. An exploit could allow the attacker to write options to a file that has root privileges.
Cisco has confirmed the vulnerability; however, software updates are not available.
To exploit this vulnerability, an attacker must authenticate and have local access to the targeted device. These access requirements may reduce the likelihood of a successful exploit.
Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.
Vendor | Product | Version | CPE |
---|---|---|---|
cisco | telepresence_video_communication_server | any | cpe:2.3:a:cisco:telepresence_video_communication_server:any:*:*:*:expressway:*:*:* |