CVE CyberSecurity Database News

CVE-2024-20497 - Cisco Expressway-E Vulnerability Explained — How Attackers Can Impersonate Users

Poster -

A serious security hole was found in Cisco Expressway Edge (Expressway-E) products, tracked as CVE-2024-20497. This bug allows any authenticated remote user—specifically those with Mobile and Remote Access (MRA) permissions—to impersonate other users and perform harmful actions. If you use Cisco Expressway for telephony or video conferencing, you need to understand how this works, how to spot trouble, and what you can do to protect your environment.

In this post, I’ll break down what’s going on in simple terms, show how attackers might exploit this bug, and provide references and advice for tackling the issue.

What Is CVE-2024-20497?

CVE-2024-20497 is a vulnerability caused by poor authorization checks in Cisco's Expressway-E software when handling MRA users. If you’re an MRA user, you’re supposed to have remote access to your organization’s phones and video endpoints in a secure way. But because of this bug, it’s possible to craft requests and make legitimate calls or even impersonate other users to intercept their calls.

Official Cisco Advisory

Find the official advisory from Cisco here:
🔗 Cisco Security Advisory: CVE-2024-20497

You enable the Mobile and Remote Access (MRA) feature.

Attackers need valid credentials as an MRA user (they can’t hit from the outside with no login at all). Typically, if a rogue user gets an MRA user account, maybe through phishing or insider theft, they can run this attack.

The software fails to properly check which user is requesting which operation.

- An attacker can send specially-crafted API or signaling requests that pretend to be from another user.

Here’s some simplified pseudo-code and what an attacker might try via network requests

import requests

# Sample code for sending a crafted registration request

target_number = "+18005551212"      # The victim's phone number
attacker_number = "+18885550000"    # Attacker's legitimate MRA user number

url = "https://expressway-e.company.com/api/mra/register";
headers = {
    "Authorization": "Bearer legit_MRA_token",
    "Content-Type": "application/json"
}
# The attacker forges the registration for the target number
payload = {
    "user": target_number,       # Pretend to be the victim
    "endpoint": "attacker_device_id"
}

resp = requests.post(url, headers=headers, json=payload)
if resp.status_code == 200:
    print("Successfully registered as another user!")
else:
    print("Registration failed")

# Now when people call the victim, their calls go to the attacker's endpoint.

This is illustrative—the exact API or protocol may vary, but the main idea is the same: the attacker can convince the system to route calls intended for someone else to themselves.

Caller ID Spoofing

Using similar requests, the attacker can make outgoing calls where the recipient sees the target’s number in caller ID. That approach is dangerous for phishing, harassment, or bypassing call restrictions.

Attacker must be an MRA user already.

- No special hardware or advanced hacking skills required—just some scripting and understanding of the API.

Update Expressway-E: Cisco fixed this issue. Patch immediately per the official advisory.

2. Monitor API Requests: Add logging and alerting for unusual registration or call-routing activity from MRA users. If a user suddenly re-registers as another person, flag it.
3. Audit MRA User Accounts: Remove unused or suspicious accounts, and enforce strong account/password policies.
4. Educate Users: Remind users not to share credentials and to report anything odd in their call handling.

References

- Cisco Advisory: CVE-2024-20497
- NIST NVD Entry: CVE-2024-20497
- Cisco Expressway Documentation: Expressway Series

CVE-2024-20497 is a high-risk bug for anyone using Mobile and Remote Access on Cisco Expressway-E.

- An attacker who logs in as an MRA user can intercept calls or spoof caller ID—simply due to missing authorization checks.

Stay secure, and patch promptly!

*Exclusive, original explanation crafted for users and defenders—feel free to share with your IT and security teams.*

Timeline

Published on: 09/04/2024 17:15:13 UTC
Last modified on: 09/05/2024 12:53:21 UTC