Login Sign Up

CVE-2023-20091

5.1 MEDIUM

📋 TL;DR

This vulnerability allows authenticated local attackers with remote support accounts to overwrite arbitrary files on Cisco TelePresence CE and RoomOS devices via symbolic link attacks due to improper file access controls. It affects Cisco TelePresence CE and RoomOS software. Attackers need local access and specific credentials to exploit this flaw.

💻 Affected Systems

Products:
  • Cisco TelePresence CE
  • Cisco RoomOS
Versions: Specific versions not detailed in advisory; check Cisco advisory for exact affected versions
Operating Systems: RoomOS
Default Config Vulnerable: ⚠️ Yes
Notes: Requires remote support user account; default configurations with such accounts enabled are vulnerable.

📦 What is this software?

Roomos by Cisco

View all CVEs affecting Roomos →

Telepresence Collaboration Endpoint by Cisco

View all CVEs affecting Telepresence Collaboration Endpoint →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through overwriting critical system files, potentially leading to persistent backdoors, service disruption, or credential theft.

🟠

Likely Case

Limited file manipulation by authorized users abusing their privileges to modify configuration files or logs.

🟢

If Mitigated

No impact if proper access controls and patching are implemented, restricting file write permissions.

🌐 Internet-Facing: LOW - Requires local access and authenticated user account, not directly exploitable over internet.
🏢 Internal Only: MEDIUM - Internal users with remote support accounts could exploit this to modify system files.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires authenticated local access with remote support privileges and knowledge of specific file system locations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Cisco advisory for specific patched versions

Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-roomos-file-write-rHKwegKf

Restart Required: Yes

Instructions:

1. Review Cisco advisory for affected versions. 2. Download and apply the latest software update from Cisco. 3. Restart the device to apply changes. 4. Verify the update was successful.

🧯 If You Can't Patch

  • Remove or restrict remote support user accounts to minimize attack surface.
  • Implement strict file system permissions and monitoring for unauthorized file modifications.

🔍 How to Verify

Check if Vulnerable:

Check device software version against Cisco advisory; devices with vulnerable versions are affected.

Check Version:

Check device web interface or CLI for software version information (specific command varies by device).

Verify Fix Applied:

Verify software version is updated to patched version listed in Cisco advisory.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file modification events in system logs
  • Symbolic link creation in specific directories
  • Remote support account activity leading to file writes

Network Indicators:

  • No direct network indicators as exploit is local

SIEM Query:

Search for file modification events from remote support user accounts or symbolic link creation in system directories.

📊 Metadata

CVE ID: CVE-2023-20091
CVSS v3 Score: 5.1 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L
CWE: CWE-61
Published: November 15, 2024
Last Updated: July 30, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-20091, you might also want to check these:

CVE-2025-23394 9.8

A UNIX symbolic link following vulnerability in cyrus-imapd on openSUSE Tumbleweed allows local atta...

Same vulnerability type (CWE-61)
CVE-2024-54661 9.8

This vulnerability in socat's readline.sh script allows local privilege escalation through insecure ...

Same vulnerability type (CWE-61)
CVE-2025-55345 8.8

This vulnerability in Codex CLI allows attackers to overwrite arbitrary files and potentially achiev...

Same vulnerability type (CWE-61)