How severe is CVE-2024-20492?

Medium severity. CVSS v3 base score is 6.0 out of 10.

Is CVE-2024-20492 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

RCE in Cisco Telepresence Video Communication Server (Vcs) Expressway

CVE-2024-20492

A vulnerability in the restricted shell of Cisco Expressway Series could allow an authenticated, local attacker to perform command injection attacks on the underlying operating system and elevate privileges to root. To exploit this vulnera…

Vulnerability class: Command Injection (OS Command Injection)

EPSS: 0.003 (50.2th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 6.0 (Medium). Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N.

Affected products

Cisco Telepresence Video Communication Server (Vcs) Expressway — versions X8.11.2, X8.6, X8.11.3

Weakness classification (CWE)

CWE-77 — Command Injection

Public proof-of-concept exploits

fkie-cad/nvd-json-data-feeds

References

cisco-sa-expw-escalation-3bkz77bD

Frequently asked questions

What is CVE-2024-20492?: CVE-2024-20492 is a medium-severity vulnerability in Cisco Telepresence Video Communication Server (Vcs) Expressway, classified under Command Injection. CVSS score: 6.0/10. Published 2024-10-02.
How severe is CVE-2024-20492?: Medium severity. CVSS v3 base score is 6.0 out of 10.
Is CVE-2024-20492 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.