Unrated severityNVD Advisory· Published Feb 7, 2024· Updated May 8, 2025

CVE-2024-20255

Description

A vulnerability in the SOAP API of Cisco Expressway Series and Cisco TelePresence Video Communication Server could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. This vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected system. An attacker could exploit this vulnerability by persuading a user of the REST API to follow a crafted link. A successful exploit could allow the attacker to cause the affected system to reload.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An unauthenticated CSRF vulnerability in Cisco Expressway Series and TelePresence VCS SOAP API allows remote attackers to reload the system.

Vulnerability

A cross-site request forgery (CSRF) vulnerability exists in the SOAP API of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) due to insufficient CSRF protections for the web-based management interface. This affects all versions prior to the fixed releases mentioned in the advisory. The vulnerability is exploitable without authentication [1].

Exploitation

An attacker can exploit this vulnerability by persuading a user with authenticated access to the REST API to follow a crafted link. The attacker must be remote and unauthenticated, but requires the victim user to interact with the malicious link. No special network position is needed beyond reachability of the affected device [1].

Impact

A successful exploit allows the attacker to cause the affected system to reload, resulting in a denial of service (DoS) condition. The attack does not lead to data disclosure, privilege escalation, or remote code execution; the impact is limited to availability [1].

Mitigation

Cisco has released free software updates to address this vulnerability. Users with service contracts should obtain fixes through their usual update channels. Customers without service contracts should contact Cisco TAC. No workarounds are documented. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].

References

Cisco Security Advisory: Cisco Expressway Series Cross-Site Request Forgery Vulnerabilities

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Cisco Systems, Inc./Telepresence Video Communication Serverllm-fuzzy2 versions
(expand)+ 1 more
- (no CPE)
- (no CPE)range: X8.5.1
Cisco Systems, Inc./Expressway Seriesllm-fuzzy

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-expressway-csrf-KnnZDMj3mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000