Login Sign Up

CVE-2023-20093

4.4 MEDIUM

📋 TL;DR

This vulnerability allows authenticated local attackers with remote support accounts to overwrite arbitrary files on Cisco TelePresence CE and RoomOS devices via symbolic link attacks. The issue stems from improper file access controls in the CLI. Only devices with vulnerable software versions are affected.

💻 Affected Systems

Products:
  • Cisco TelePresence CE
  • Cisco RoomOS
Versions: Specific versions not provided in advisory, check Cisco advisory for details
Operating Systems: RoomOS
Default Config Vulnerable: ⚠️ Yes
Notes: CVE-2023-20092 does not affect Cisco DX70, DX80, TelePresence MX Series, or TelePresence SX Series devices. Requires remote support user account.

📦 What is this software?

Roomos by Cisco

View all CVEs affecting Roomos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through overwriting critical system files, potentially leading to persistent backdoors, service disruption, or credential theft.

🟠

Likely Case

Local privilege escalation or service disruption by overwriting configuration files, potentially gaining administrative access.

🟢

If Mitigated

Limited impact if proper access controls restrict remote support accounts and file permissions are properly configured.

🌐 Internet-Facing: LOW - Requires local access and authenticated remote support account.
🏢 Internal Only: MEDIUM - Internal attackers with remote support credentials could exploit this to compromise devices.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires authenticated local access with remote support privileges and ability to place symbolic links in specific locations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Cisco advisory for specific patched versions

Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-roomos-file-write-rHKwegKf

Restart Required: Yes

Instructions:

1. Review Cisco advisory for affected versions. 2. Download appropriate software update from Cisco. 3. Apply update following Cisco's deployment procedures. 4. Restart affected devices.

🧯 If You Can't Patch

  • Restrict access to remote support accounts and monitor for unauthorized usage.
  • Implement strict file permission controls and monitor for symbolic link creation in sensitive directories.

🔍 How to Verify

Check if Vulnerable:

Check device software version against Cisco advisory and verify if remote support accounts exist.

Check Version:

Check device web interface or CLI for software version information (specific command varies by device).

Verify Fix Applied:

Verify software version has been updated to patched version listed in Cisco advisory.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file modification events in system logs
  • Multiple failed or successful authentication attempts to remote support accounts
  • Symbolic link creation in system directories

Network Indicators:

  • Unusual SSH or management traffic to affected devices

SIEM Query:

Search for: 'file overwrite', 'symbolic link creation', 'remote support login' events on Cisco TelePresence devices

📊 Metadata

CVE ID: CVE-2023-20093
CVSS v3 Score: 4.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-61
Published: November 15, 2024
Last Updated: July 30, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-20093, you might also want to check these:

CVE-2025-23394 9.8

A UNIX symbolic link following vulnerability in cyrus-imapd on openSUSE Tumbleweed allows local atta...

Same vulnerability type (CWE-61)
CVE-2024-54661 9.8

This vulnerability in socat's readline.sh script allows local privilege escalation through insecure ...

Same vulnerability type (CWE-61)
CVE-2025-55345 8.8

This vulnerability in Codex CLI allows attackers to overwrite arbitrary files and potentially achiev...

Same vulnerability type (CWE-61)