A vulnerability in the web-based management interface of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an authenticated, remote attacker with read-write privileges on the application to perform a command injection attack that could result in remote code execution on an affected device.

This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface of an affected device. A successful exploit could allow the attacker to establish a remote shell with root privileges.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.30117.

Exploitation poc

Automatable no

Technical Impact total

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions
Cisco Cisco TelePresence Video Communication Server (VCS) Expressway affected
Version Status Constraints
X8.5.1 affected
X8.5.3 affected
X8.5 affected
X8.6.1 affected
X8.6 affected
X8.1.1 affected
X8.1.2 affected
X8.1 affected
X8.2.1 affected
X8.2.2 affected
X8.2 affected
X8.7.1 affected
X8.7.2 affected
X8.7.3 affected
X8.7 affected
X8.8.1 affected
X8.8.2 affected
X8.8.3 affected
X8.8 affected
X8.9.1 affected
X8.9.2 affected
X8.9 affected
X8.10.0 affected
X8.10.1 affected
X8.10.2 affected
X8.10.3 affected
X8.10.4 affected
X12.5.8 affected
X12.5.9 affected
X12.5.0 affected
X12.5.2 affected
X12.5.7 affected
X12.5.3 affected
X12.5.4 affected
X12.5.5 affected
X12.5.1 affected
X12.5.6 affected
X12.6.0 affected
X12.6.1 affected
X12.6.2 affected
X12.6.3 affected
X12.6.4 affected
X12.7.0 affected
X12.7.1 affected
X8.11.1 affected
X8.11.2 affected
X8.11.4 affected
X8.11.3 affected
X8.11.0 affected
X14.0.1 affected
X14.0.3 affected
X14.0.2 affected
X14.0.4 affected
X14.0.5 affected
X14.0.6 affected
X14.0.7 affected
X14.0.8 affected
X14.0.9 affected
X14.0.10 affected
X14.0.11 affected
X14.2.1 affected
X14.2.2 affected
X14.2.5 affected
X14.2.6 affected
X14.2.0 affected
X14.2.7 affected
X14.3.0 affected

Configuration 1 [-]

OR cpe:2.3:a:cisco:telepresence_video_communication_server:*:*:*:*:*:*:*:*
cpe:2.3:a:cisco:telepresence_video_communication_server:*:*:*:*:expressway:*:*:*

No data.

No data.

Project Subscriptions

Vendors Products
Cisco Subscribe
Telepresence Video Communication Server Subscribe
Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-expressway-injection-X475EbTQ cve-icon cve-icon
History

Wed, 17 Dec 2025 05:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'No', 'Exploitation': 'PoC', 'Technical Impact': 'Total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 23 Oct 2024 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'No', 'Exploitation': 'PoC', 'Technical Impact': 'Total'}, 'version': '2.0.3'}

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2025-12-16T18:23:20.308Z

Reserved: 2022-10-27T18:47:50.367Z

Link: CVE-2023-20209

cve-icon Vulnrichment

Updated: 2024-08-02T09:05:35.876Z

cve-icon NVD

Status : Modified

Published: 2023-08-16T21:15:09.650

Modified: 2024-11-21T07:40:50.800

Link: CVE-2023-20209

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses