Two similar (but independent) security flaws with "critical" severity level have been discovered recently. Luckily, the updates from Cisco are available.
Cisco has two similar but separate products, both are for feature-rich remote teleconferencing, the Cisco Expressway and TelePresence Video Communication Server, the former being more versatile and flexibly and even recommended to use by Cisco itself.
Two vulnerabilities (CVE-2022-20812 and CVE-2022-20813) apply equally to those two products.
The first allows an "hostile" authenticated system administrator to access files by using absolute path and even make filesystem modifications under root privileges. In order to do that, a hacker needs to authenticate as a "read-write" administrator and then use the cluster database API of Cisco Expressway Series and Cisco TelePresence VCS in a special way. Why is this vulnerability received the highest level of severity, if an attacked needs to be authenticated? The answer is simple - to be authenticated cannot be considered a super complex task any more. We have social engineering, bruteforce, and even dumpster-diving attacks, plus their effective combinations. Your login and password don't give much protection, indeed. Just stop relying on that. And that root-level adversary access makes us think that Cisco's backend starts some services under superuser privileges which is a severe violation of secure software operation best practices.
The second flaw is old and lovely missing of TLS certification validation between VOIP client and the server. The Cisco's advisory paper diplomatically says improper certificate validation, but we are not diplomats, we are security experts, so for us this is just no validation, where man-in-the-middle traffic interception is possible to do. In modern software usually two layers of certification validation are used: one on TLS level (which verifies certificate validity by ensure that it's issued by a trusted Certificate Authority, and is based on cryptography), and another on application level (which ties the certificate and any application-specific conditions). Successful man-in-the-middle attack implies Cisco failed with both of them.
Useful Links