A critical vulnerability in Cisco BroadWorks, a unified communications platform, could allow a threat actor to take control of a customer’s system or cause a denial of service, according to the Cybersecurity and Infrastructure Security Agency.
Threat actors could exploit the vulnerability, CVE-2023-20238, in the single sign-on implementation of some versions of Cisco BroadWorks to forge credentials and execute privilege commands, Cisco said Wednesday in a security advisory. The vulnerability carries a CVSS score of 10 out of 10.
“We are not aware of any malicious use of this vulnerability, and fixed software is available,” a Cisco spokesperson told Cybersecurity Dive via email.
There are no workarounds for the vulnerability, which, if exploited by a threat actor at an administrator account level, could expose confidential information.
CISA has issued two security alerts about vulnerabilities in multiple Cisco products since mid-August, and CVE-2023-20238 marks the twelfth critical vulnerability disclosed by Cisco this year.
“Cisco follows a well-established disclosure process for reporting security vulnerabilities in our products,” the company spokesperson said.
The steady pace of vulnerabilities in software used by enterprises underscores CISA’s continued push to encourage technology vendors to build products in a way that prevents the need for customers to constantly perform monitoring, routine updates and damage control on their systems to mitigate cyber intrusions.
Cisco has issued 157 security advisories for its products this year. Microsoft, by comparison, has issued 926 CVEs so far this year. Both companies are widely used enterprise vendors.