CRITICALCVE-2024-20252CVSS 9.6

CVE-2024-20252: CSRF in Cisco TelePresence VCS Expressway

Platform

cisco

Component

cisco-telepresence-video-communication-server-vcs-expressway

Fixed in

8.5.2

8.5.4

8.5.1

8.6.2

8.6.1

8.1.2

8.1.3

8.1.1

8.2.2

8.2.3

8.2.1

8.7.2

8.7.3

8.7.4

8.7.1

8.8.2

8.8.3

8.8.4

8.8.1

8.9.2

8.9.3

8.9.1

8.10.1

8.10.2

8.10.3

8.10.4

8.10.5

12.5.9

12.5.10

12.5.1

12.5.3

12.5.8

12.5.4

12.5.5

12.5.6

12.5.2

12.5.7

12.6.1

12.6.2

12.6.3

12.6.4

12.6.5

12.7.1

12.7.2

8.11.2

8.11.3

8.11.5

8.11.4

8.11.1

14.0.2

14.0.4

14.0.3

14.0.5

14.0.6

14.0.7

14.0.8

14.0.9

14.0.10

14.0.11

14.0.12

14.2.2

14.2.3

14.2.6

14.2.7

14.2.1

14.2.8

14.3.1

14.3.2

14.3.3

AI Confidence: highNVDEPSS 3.4%Reviewed: May 2026

View on NVD

Save

CVE-2024-20252 describes a cross-site request forgery (CSRF) vulnerability affecting Cisco TelePresence Video Communication Server (VCS) Expressway devices. This vulnerability allows an unauthenticated, remote attacker to execute arbitrary actions on the affected system, potentially leading to unauthorized configuration changes or data breaches. The vulnerability impacts Expressway Control (Expressway-C) and Expressway Edge (Expressway-E) devices running versions X8.1 through X14.3.2. Cisco has released a patch in version 14.3.3.

Impact and Attack Scenarios

The CSRF vulnerability allows an attacker to trick a legitimate user into unknowingly performing actions on the Expressway device. This could involve modifying system configurations, adding or removing users, or even initiating video calls. Because the vulnerability is unauthenticated, an attacker does not need valid credentials to exploit it. The potential impact is significant, as a successful attack could grant an attacker complete control over the Expressway device, potentially compromising the entire video conferencing infrastructure. This is particularly concerning in environments where Expressway devices manage critical video conferencing services for sensitive communications.

Exploitation Context

This vulnerability is considered critical due to its ease of exploitation and potential impact. While no public exploits have been widely reported, the unauthenticated nature of the vulnerability makes it a high-priority target. It has been added to the CISA KEV catalog, indicating a significant risk to federal agencies. Monitor security advisories and threat intelligence feeds for any signs of active exploitation.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

3.38% (87% percentile)

CISA SSVC

Exploitationnone

Automatableno

Technical Impacttotal

CVSS Vector

Affected Software

Componentcisco-telepresence-video-communication-server-vcs-expressway

VendorCisco

Affected rangeFixed in

X8.5.1 – X8.5.18.5.2

X8.5.3 – X8.5.38.5.4

X8.5 – X8.58.5.1

X8.6.1 – X8.6.18.6.2

X8.6 – X8.68.6.1

X8.1.1 – X8.1.18.1.2

X8.1.2 – X8.1.28.1.3

X8.1 – X8.18.1.1

X8.2.1 – X8.2.18.2.2

X8.2.2 – X8.2.28.2.3

X8.2 – X8.28.2.1

X8.7.1 – X8.7.18.7.2

X8.7.2 – X8.7.28.7.3

X8.7.3 – X8.7.38.7.4

X8.7 – X8.78.7.1

X8.8.1 – X8.8.18.8.2

X8.8.2 – X8.8.28.8.3

X8.8.3 – X8.8.38.8.4

X8.8 – X8.88.8.1

X8.9.1 – X8.9.18.9.2

X8.9.2 – X8.9.28.9.3

X8.9 – X8.98.9.1

X8.10.0 – X8.10.08.10.1

X8.10.1 – X8.10.18.10.2

X8.10.2 – X8.10.28.10.3

X8.10.3 – X8.10.38.10.4

X8.10.4 – X8.10.48.10.5

X12.5.8 – X12.5.812.5.9

X12.5.9 – X12.5.912.5.10

X12.5.0 – X12.5.012.5.1

X12.5.2 – X12.5.212.5.3

X12.5.7 – X12.5.712.5.8

X12.5.3 – X12.5.312.5.4

X12.5.4 – X12.5.412.5.5

X12.5.5 – X12.5.512.5.6

X12.5.1 – X12.5.112.5.2

X12.5.6 – X12.5.612.5.7

X12.6.0 – X12.6.012.6.1

X12.6.1 – X12.6.112.6.2

X12.6.2 – X12.6.212.6.3

X12.6.3 – X12.6.312.6.4

X12.6.4 – X12.6.412.6.5

X12.7.0 – X12.7.012.7.1

X12.7.1 – X12.7.112.7.2

X8.11.1 – X8.11.18.11.2

X8.11.2 – X8.11.28.11.3

X8.11.4 – X8.11.48.11.5

X8.11.3 – X8.11.38.11.4

X8.11.0 – X8.11.08.11.1

X14.0.1 – X14.0.114.0.2

X14.0.3 – X14.0.314.0.4

X14.0.2 – X14.0.214.0.3

X14.0.4 – X14.0.414.0.5

X14.0.5 – X14.0.514.0.6

X14.0.6 – X14.0.614.0.7

X14.0.7 – X14.0.714.0.8

X14.0.8 – X14.0.814.0.9

X14.0.9 – X14.0.914.0.10

X14.0.10 – X14.0.1014.0.11

X14.0.11 – X14.0.1114.0.12

X14.2.1 – X14.2.114.2.2

X14.2.2 – X14.2.214.2.3

X14.2.5 – X14.2.514.2.6

X14.2.6 – X14.2.614.2.7

X14.2.0 – X14.2.014.2.1

X14.2.7 – X14.2.714.2.8

X14.3.0 – X14.3.014.3.1

X14.3.1 – X14.3.114.3.2

X14.3.2 – X14.3.214.3.3

Weakness Classification (CWE)

CWE-352

Timeline

Reserved2023-11-08
Published2024-02-07
Modified2024-08-01
EPSS updated2026-04-02

Mitigation and Workarounds

The primary mitigation for CVE-2024-20252 is to upgrade to Cisco TelePresence VCS Expressway version 14.3.3 or later. If immediate upgrade is not possible, consider implementing temporary workarounds such as restricting access to sensitive administrative interfaces or implementing stricter authentication controls. Web Application Firewalls (WAFs) configured with appropriate CSRF protection rules can also help mitigate the risk, although this is not a substitute for patching. Monitor Expressway device logs for suspicious activity, particularly unexpected configuration changes or unauthorized user actions. Review and tighten access controls to minimize the potential impact of a successful CSRF attack.

How to fix

Update Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) to a version that is not affected by these vulnerabilities. See the Cisco security advisory for details on the fixed versions. Apply security updates as soon as possible to mitigate the risk of CSRF attacks.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2024-20252 — CSRF in Cisco TelePresence VCS Expressway?

CVE-2024-20252 is a critical CSRF vulnerability affecting Cisco TelePresence VCS Expressway devices, allowing unauthenticated attackers to perform actions as a legitimate user.

Am I affected by CVE-2024-20252 in Cisco TelePresence VCS Expressway?

If you are running Cisco TelePresence VCS Expressway versions X8.1–X14.3.2, you are potentially affected by this vulnerability.

How do I fix CVE-2024-20252 in Cisco TelePresence VCS Expressway?

Upgrade to Cisco TelePresence VCS Expressway version 14.3.3 or later to remediate the vulnerability. Consider temporary workarounds if immediate patching is not possible.

Is CVE-2024-20252 being actively exploited?

While no widespread exploitation has been confirmed, the unauthenticated nature of the vulnerability makes it a high-priority target and it's on the CISA KEV catalog.

Where can I find the official Cisco advisory for CVE-2024-20252?

Refer to the official Cisco Security Advisory for detailed information and mitigation steps: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-expressway-csrf-20240207

NextGuard

Vulnerabilities

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Search CVEs

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: None — unauthenticated. No login or credentials needed to exploit.
User Interaction: Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope: Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality: High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity: High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability: High — complete crash or resource exhaustion. Full denial of service.