CVE-2023-20209

MEDIUM

Cisco Expressway Series/VCS - Command Injection

Title source: llm

Description

A vulnerability in the web-based management interface of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an authenticated, remote attacker with read-write privileges on the application to perform a command injection attack that could result in remote code execution on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface of an affected device. A successful exploit could allow the attacker to establish a remote shell with root privileges.

Exploits (2)

nomisec WORKING POC
by peter5he1by · poc
https://github.com/peter5he1by/CVE-2023-20209

References (1)

Scores

CVSS v3 6.5
EPSS 0.3191
EPSS Percentile 96.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Details

CWE
CWE-94 CWE-77
Status published
Products (1)
cisco/telepresence_video_communication_server < 14.3.1 (2 CPE variants)
Published Aug 16, 2023
Tracked Since Feb 18, 2026