Cisco has shipped fixed software for a critical bug in its Expressway Series and TelePresence Video Communication Server (VCS) products, nine months after being first disclosed.
The bugs, in the APIs and web-based management consoles of the two products, were partially fixed last July.
CVE-2022-20812 is the API bug which allowed an authenticated remote administrator to overwrite operating system files as root.
CVE-2022-20813 allowed an unauthenticated remote man-in-the-middle attack to intercept traffic between devices, and then use a crafted certificate to impersonate an endpoint.
“A successful exploit could allow the attacker to view the intercepted traffic in clear text or alter the contents of the traffic”, Cisco’s advisory said.
That advisory has been updated to advise customers that version 14.0.7 of the software, released last July, provided “a partial fix” to the problem.
“For complete coverage, customers should upgrade to Release 14.3 or higher,” the advisory stated, adding that the fully patched version will ship later this month.