Cisco Video Conferencing Systems Vulnerable to Hacking

CVECVE-2024-20254
CVSScvssV3_1: 9.6
SourceCVE-2024-20254

Cisco Expressway and Cisco TelePresence Video Communication Server (VCS) are video conferencing tools used widely in businesses and organizations. Unfortunately, security researchers have discovered multiple vulnerabilities in these systems that could allow remote attackers to take control of devices without authentication.

The vulnerabilities allow a type of attack called Cross-Site Request Forgery (CSRF) where a hacker tricks a user’s browser into performing actions for them on a targeted site. In this case, a hacker could exploit the vulnerabilities to remotely issue commands and gain full access to an affected Cisco video conferencing device.

As an administrator, this would give an attacker access to features like adding or removing users, changing security settings and more. For regular users, a successful exploit could allow the recording or interception of private video calls and meetings.

The best way for organizations using Cisco video conferencing tools to protect themselves is to apply the latest software updates released by Cisco. Administrators should also ensure appropriate access controls and monitoring is set up to detect any unauthorized changes.

Users should be wary of unexpected or suspicious meeting invites and only join calls from trusted sources. Using up-to-date browsers can also help reduce the risk of CSRF attacks. Taking some simple precautions can help prevent hackers from disrupting important video conferences or accessing private discussions.

References