vulnerability

Cisco TelePresence Video Communication Server (VCS) Expressway: CVE-2024-20492: Cisco Expressway Series Privilege Escalation Vulnerability

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
6	(AV:L/AC:L/Au:M/C:C/I:C/A:N)	Oct 2, 2024	Jan 10, 2025	Apr 1, 2026

Severity

CVSS

(AV:L/AC:L/Au:M/C:C/I:C/A:N)

Published

Oct 2, 2024

Added

Jan 10, 2025

Modified

Apr 1, 2026

Description

A vulnerability in the restricted shell of Cisco Expressway Series could allow an authenticated, local attacker to perform command injection attacks on the underlying operating system and elevate privileges to root. To exploit this vulnerability, the attacker must have Administrator-level credentials with read-write privileges on an affected device.

This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a series of crafted CLI commands. A successful exploit could allow the attacker to escape the restricted shell and gain root privileges on the underlying operating system of the affected device.
Note: Cisco Expressway Series refers to Cisco Expressway Control (Expressway-C) devices and Cisco Expressway Edge (Expressway-E) devices.

Solution

cisco-telepresence-expressway-upgrade-latest

References

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report