Cisco TelePresence Conductor, Cisco Expressway Series, and Cisco TelePresence Video Communication Server REST API Server-Side Request Forgery Vulnerability
Description
A vulnerability in the web interface of Cisco TelePresence Conductor, Cisco Expressway Series, and Cisco TelePresence Video Communication Server (VCS) Software could allow an authenticated, remote attacker to trigger an HTTP request from an affected server to an arbitrary host. This type of attack is commonly referred to as server-side request forgery (SSRF). The vulnerability is due to insufficient access controls for the REST API of Cisco Expressway Series and Cisco TelePresence VCS. An attacker could exploit this vulnerability by submitting a crafted HTTP request to the affected server. Versions prior to XC4.3.4 are affected.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A SSRF vulnerability in Cisco TelePresence Conductor, Expressway Series, and VCS REST API allows authenticated remote attackers to trigger HTTP requests to arbitrary hosts.
Vulnerability
The vulnerability is a server-side request forgery (SSRF) in the REST API of Cisco Expressway Series, Cisco TelePresence Video Communication Server (VCS), and Cisco TelePresence Conductor software. It stems from insufficient access controls for the REST API. Affected versions are prior to release XC4.3.4. [1]
Exploitation
An authenticated, remote attacker can exploit this vulnerability by sending a crafted HTTP request to the affected server. No user interaction is required beyond authentication. [1]
Impact
Successful exploitation allows the attacker to trigger an HTTP request from the affected server to an arbitrary host, potentially leading to information disclosure or further attacks against internal systems. [1]
Mitigation
Cisco has released software updates to address the vulnerability. Fixed versions are available for all affected products. There are no workarounds. Affected users should upgrade to version XC4.3.4 or later. [1]
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
6- Range: <XC4.3.4
<XC4.3.4+ 1 more
- (no CPE)range: <XC4.3.4
- (no CPE)range: unspecified
<XC4.3.4+ 1 more
- (no CPE)range: <XC4.3.4
- (no CPE)range: unspecified
- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190206-rest-api-ssrfmitrevendor-advisoryx_refsource_CISCO
- www.securityfocus.com/bid/106940mitrevdb-entryx_refsource_BID
News mentions
0No linked articles in our index yet.