Home / Threat Intelligence bulletins / Cisco discloses critical vulnerability in patch release


Cisco has disclosed a critical vulnerability in their patch release which addressed 40 security flaws. The related patch provides a fix for two vulnerabilities in the API and in the web-based management interface of the Cisco Expressway Series and the Cisco TelePresence Video Communication Server (VCS)

The vulnerabilities are not dependent on one another and, therefore, exploitation of one of the vulnerabilities is not required to exploit another vulnerability. Further, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerabilities.

The critical flaw, tracked as, [CVE-2022-20812] (CVSSv3 Base Score: 9.0), relates to path traversal on an affected system and the overwriting of files on the underlying operating system as a root user. The related vulnerability tracked as [CVE-2022-20813] (CVSS Base Score: 7.4) pertains to the unauthorised access to sensitive data.


– A threat actor could exploit [CVE-2022-20812] by authenticating to the system as an administrative read-write user and submitting crafted input to the affected command. Successful exploitation could allow the threat actor to overwrite arbitrary files on the underlying operating system as the root user.

– A threat actor could exploit [CVE-2022-20813] by implementing a man-in-the-middle technique to intercept the traffic between devices, and subsequently apply a crafted certificate to impersonate the endpoint. Successful exploitation could allow the threat actor to view the intercepted traffic in clear text or alter the contents of the traffic.

Vulnerability Detection

Security patches for these vulnerabilities have been released by Cisco. Previous versions therefore remain vulnerable to potential exploitation.

Affected Products

– Cisco Expressway Series version
– Cisco TelePresence Video Communication Server (VCS)

Containment, Mitigations & Remediations

There are no workarounds that address these vulnerabilities. As such, it is strongly recommended that users upgrade the affected products to version 14.3 or higher.

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available at this time.

Threat Landscape

Cisco has a significant proportion of the enterprise network infrastructure market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, Cisco products have become a prime target. Due to the fact that Cisco products have become an integral aspect of business operations, threat actors will continue to exploit vulnerabilities contained within the associated products in an attempt to extract the sensitive data contained therein.

Threat Group

No attribution to specific threat actors or groups have been identified at the time of writing.

Mitre Methodologies

TA0007– Discovery

Discovery Technique:
T1083 – File and Directory Discovery

TA0009 – Collection

Collection Technique:
T1557– Adversary-in-the-Middle

TA0040 – Impact

Impact Technique:
T1485 – Data Destruction

Further Information

Cisco Advisory

Intelligence Terminology Yardstick