Cisco has released software updates to address several vulnerabilities that have been identified in its TelePresence products, which can be exploited by hackers to compromise a vulnerable system.
It has also urged its customers to update their TelePresence software. Similarly, they are advised to consult their maintenance providers or check the software for feature set compatibility and known issues that are specific to their environments.
Cisco said in an advisory published on May 13 that the workarounds that mitigate the vulnerabilities, which have been identified by during its internal tests and product security reviews, are not available.
“The vulnerability in the web framework of multiple Cisco TelePresence products could allow an authenticated or remote attacker to inject arbitrary commands that are executed with the privileges of the root user,” Cisco said in its advisory.
“The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by authenticating to the device and submitting crafted input to the affected parameter in a web page."
"Administrative privileges are required in order to access the affected parameter. A successful exploit could allow an attacker to execute system commands with the privileges of the root user,” the advisory added.
Cisco said that although, this is a serious vulnerability with a CVSS score of 9.0, it hasn’t found evidence that shows flaw has been leveraged for malicious purposes.