Cisco Expressway Series and Cisco TelePresence Video Communication Server Denial of Service Vulnerability
Description
A vulnerability in the XML API of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an authenticated, remote attacker to cause the CPU to increase to 100% utilization, causing a denial of service (DoS) condition on an affected system. The vulnerability is due to improper handling of the XML input. An attacker could exploit this vulnerability by sending a specifically crafted XML payload. A successful exploit could allow the attacker to exhaust CPU resources, resulting in a DoS condition until the system is manually rebooted. Software versions prior to X12.5.1 are affected.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A crafted XML payload causes 100% CPU usage in Cisco Expressway and TelePresence VCS, requiring a manual reboot.
Vulnerability
The vulnerability resides in the XML API of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS). It is due to improper handling of specially crafted XML input. Software versions prior to X12.5.1 are affected [1]. Authenticated, remote access is required to reach the vulnerable API.
Exploitation
An attacker with valid authentication and network access to the device can send a specifically crafted XML payload to the XML API [1]. The exploit does not require any additional user interaction or elevated privileges beyond the initial authenticated access.
Impact
Successful exploitation causes the CPU utilization to rise to 100%, exhausting CPU resources and resulting in a denial of service (DoS) condition [1]. The affected system remains in this state until it is manually rebooted, causing prolonged service disruption.
Mitigation
Cisco has released software version X12.5.1 which contains the fix for this vulnerability [1]. There are no workarounds to address the issue; upgrading to the fixed version is the only mitigation. The advisory does not list this CVE as part of CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3< X12.5.1+ 1 more
- (no CPE)range: < X12.5.1
- (no CPE)range: unspecified
- Range: < X12.5.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190417-ces-tvcs-dosmitrevendor-advisoryx_refsource_CISCO
- www.securityfocus.com/bid/108002mitrevdb-entryx_refsource_BID
News mentions
0No linked articles in our index yet.