CRITICALCVE-2024-20254CVSS 9.6

CVE-2024-20254: CSRF in Cisco TelePresence Expressway

Platform

cisco

Component

cisco-telepresence-video-communication-server-vcs-expressway

Fixed in

8.5.2

8.5.4

8.5.1

8.6.2

8.6.1

8.1.2

8.1.3

8.1.1

8.2.2

8.2.3

8.2.1

8.7.2

8.7.3

8.7.4

8.7.1

8.8.2

8.8.3

8.8.4

8.8.1

8.9.2

8.9.3

8.9.1

8.10.1

8.10.2

8.10.3

8.10.4

8.10.5

12.5.9

12.5.10

12.5.1

12.5.3

12.5.8

12.5.4

12.5.5

12.5.6

12.5.2

12.5.7

12.6.1

12.6.2

12.6.3

12.6.4

12.6.5

12.7.1

12.7.2

8.11.2

8.11.3

8.11.5

8.11.4

8.11.1

14.0.2

14.0.4

14.0.3

14.0.5

14.0.6

14.0.7

14.0.8

14.0.9

14.0.10

14.0.11

14.0.12

14.2.2

14.2.3

14.2.6

14.2.7

14.2.1

14.2.8

14.3.1

14.3.2

14.3.3

AI Confidence: highNVDEPSS 2.3%Reviewed: May 2026

View on NVD

Save

CVE-2024-20254 describes a cross-site request forgery (CSRF) vulnerability present in Cisco TelePresence Video Communication Server (VCS) Expressway devices. This vulnerability allows an unauthenticated, remote attacker to execute arbitrary actions on an affected device, potentially leading to unauthorized configuration changes or data breaches. The vulnerability impacts Expressway Control (Expressway-C) and Expressway Edge (Expressway-E) devices running versions X8.1 through X14.3.2. A fix is available in version 14.3.3.

Impact and Attack Scenarios

The CSRF vulnerability allows an attacker to trick a legitimate user into unknowingly performing actions on the Expressway device. For example, an attacker could craft a malicious link that, when clicked by an authenticated user, modifies system settings, adds or removes users, or initiates unauthorized video conferences. The impact is particularly severe because the vulnerability is unauthenticated, meaning an attacker doesn't need valid credentials to exploit it. Successful exploitation could lead to complete compromise of the Expressway device and potentially provide a foothold into the broader network it serves, enabling lateral movement and data exfiltration. This vulnerability shares similarities with other CSRF attacks, where user interaction is leveraged to execute malicious commands.

Exploitation Context

CVE-2024-20254 was publicly disclosed on February 7, 2024. The CVSS score of 9.6 (CRITICAL) indicates a high probability of exploitation. While no public proof-of-concept (POC) code has been released as of this writing, the unauthenticated nature of the vulnerability and its critical severity suggest that it is likely to be targeted by attackers. Monitor security advisories and threat intelligence feeds for any signs of active exploitation.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

2.33% (85% percentile)

CVSS Vector

Affected Software

Componentcisco-telepresence-video-communication-server-vcs-expressway

VendorCisco

Affected rangeFixed in

X8.5.1 – X8.5.18.5.2

X8.5.3 – X8.5.38.5.4

X8.5 – X8.58.5.1

X8.6.1 – X8.6.18.6.2

X8.6 – X8.68.6.1

X8.1.1 – X8.1.18.1.2

X8.1.2 – X8.1.28.1.3

X8.1 – X8.18.1.1

X8.2.1 – X8.2.18.2.2

X8.2.2 – X8.2.28.2.3

X8.2 – X8.28.2.1

X8.7.1 – X8.7.18.7.2

X8.7.2 – X8.7.28.7.3

X8.7.3 – X8.7.38.7.4

X8.7 – X8.78.7.1

X8.8.1 – X8.8.18.8.2

X8.8.2 – X8.8.28.8.3

X8.8.3 – X8.8.38.8.4

X8.8 – X8.88.8.1

X8.9.1 – X8.9.18.9.2

X8.9.2 – X8.9.28.9.3

X8.9 – X8.98.9.1

X8.10.0 – X8.10.08.10.1

X8.10.1 – X8.10.18.10.2

X8.10.2 – X8.10.28.10.3

X8.10.3 – X8.10.38.10.4

X8.10.4 – X8.10.48.10.5

X12.5.8 – X12.5.812.5.9

X12.5.9 – X12.5.912.5.10

X12.5.0 – X12.5.012.5.1

X12.5.2 – X12.5.212.5.3

X12.5.7 – X12.5.712.5.8

X12.5.3 – X12.5.312.5.4

X12.5.4 – X12.5.412.5.5

X12.5.5 – X12.5.512.5.6

X12.5.1 – X12.5.112.5.2

X12.5.6 – X12.5.612.5.7

X12.6.0 – X12.6.012.6.1

X12.6.1 – X12.6.112.6.2

X12.6.2 – X12.6.212.6.3

X12.6.3 – X12.6.312.6.4

X12.6.4 – X12.6.412.6.5

X12.7.0 – X12.7.012.7.1

X12.7.1 – X12.7.112.7.2

X8.11.1 – X8.11.18.11.2

X8.11.2 – X8.11.28.11.3

X8.11.4 – X8.11.48.11.5

X8.11.3 – X8.11.38.11.4

X8.11.0 – X8.11.08.11.1

X14.0.1 – X14.0.114.0.2

X14.0.3 – X14.0.314.0.4

X14.0.2 – X14.0.214.0.3

X14.0.4 – X14.0.414.0.5

X14.0.5 – X14.0.514.0.6

X14.0.6 – X14.0.614.0.7

X14.0.7 – X14.0.714.0.8

X14.0.8 – X14.0.814.0.9

X14.0.9 – X14.0.914.0.10

X14.0.10 – X14.0.1014.0.11

X14.0.11 – X14.0.1114.0.12

X14.2.1 – X14.2.114.2.2

X14.2.2 – X14.2.214.2.3

X14.2.5 – X14.2.514.2.6

X14.2.6 – X14.2.614.2.7

X14.2.0 – X14.2.014.2.1

X14.2.7 – X14.2.714.2.8

X14.3.0 – X14.3.014.3.1

X14.3.1 – X14.3.114.3.2

X14.3.2 – X14.3.214.3.3

Weakness Classification (CWE)

CWE-352

Timeline

Reserved2023-11-08
Published2024-02-07
Modified2024-08-22
EPSS updated2026-04-02

Mitigation and Workarounds

The primary mitigation for CVE-2024-20254 is to upgrade to Cisco Expressway version 14.3.3 or later. If immediate upgrading is not possible, consider implementing temporary workarounds. These may include restricting access to the Expressway management interface to trusted networks, implementing strict input validation on all user-supplied data, and utilizing a Web Application Firewall (WAF) to filter out malicious requests. Configure the WAF to block requests containing suspicious parameters or patterns commonly associated with CSRF attacks. Regularly review Expressway device logs for any unusual activity or unauthorized modifications.

How to fix

Update Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) to an unaffected version. Refer to the Cisco advisory for details on fixed versions. Apply the security updates provided by Cisco as soon as possible.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2024-20254 — CSRF in Cisco TelePresence Expressway?

CVE-2024-20254 is a critical CSRF vulnerability affecting Cisco TelePresence Expressway devices (versions X8.1–X14.3.2) allowing unauthenticated attackers to perform arbitrary actions.

Am I affected by CVE-2024-20254 in Cisco TelePresence Expressway?

If you are running Cisco TelePresence Expressway versions X8.1 through X14.3.2, you are potentially affected by this vulnerability. Upgrade to version 14.3.3 or later to mitigate the risk.

How do I fix CVE-2024-20254 in Cisco TelePresence Expressway?

The recommended fix is to upgrade to Cisco Expressway version 14.3.3 or later. As a temporary workaround, implement WAF rules and restrict access to the management interface.

Is CVE-2024-20254 being actively exploited?

While no public exploits are currently known, the vulnerability's critical severity and unauthenticated nature suggest it is likely to be targeted. Monitor for signs of exploitation.

Where can I find the official Cisco advisory for CVE-2024-20254?

Refer to the official Cisco Security Advisory for detailed information and mitigation steps: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-expressway-multiple-vulnerabilities

NextGuard

Vulnerabilities

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: None — unauthenticated. No login or credentials needed to exploit.
User Interaction: Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope: Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality: High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity: High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability: High — complete crash or resource exhaustion. Full denial of service.

Scan free

Search CVEs