Cisco has announced patches for two critical-severity vulnerabilities in its Expressway series devices that could be exploited remotely, without authentication, to launch cross-site request forgery (CSRF) attacks.
The two security flaws, identified as CVE-2024-20252 and CVE-2024-20254 (with a CVSS score of 9.6), affect the API of Expressway series enterprise communication and collaboration devices. They are caused by inadequate CSRF protections for the web-based management interface of the compromised systems. An attacker could take advantage of these flaws by convincing an API user to click on a malicious link.
According to a Cisco advisory, “a successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user.”
Read More: Cisco Patches Critical Vulnerabilities in Enterprise Communication Devices
For more such updates follow us on Google News ITsecuritywire News. Please subscribe to our Newsletter for more updates.