CVE-2024-20254
Published: 07 February 2024
Summary
CVE-2024-20254 is a critical-severity CSRF (CWE-352) vulnerability in Cisco Expressway. Its CVSS base score is 9.6 (Critical).
Operationally, ranked in the top 14.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-20254 is a cross-site request forgery vulnerability tracked under CWE-352 that affects Cisco Expressway Series devices, specifically Expressway-C and Expressway-E, as well as Cisco TelePresence Video Communication Server (VCS). The flaw carries a CVSS 3.1 score of 9.6 and stems from insufficient protections against forged requests that can trigger arbitrary actions on the affected appliances.
An unauthenticated remote attacker can exploit the issue by luring an authenticated user into interacting with a malicious link or page, resulting in unauthorized configuration changes or other actions performed with the victim's privileges and leading to high impact on confidentiality, integrity, and availability.
The official Cisco Security Advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-expressway-csrf-KnnZDMj3 provides remediation guidance and should be consulted for available fixes. The associated EPSS score rose from a low baseline to a peak of 0.0516 on 2025-12-11 before receding to its current value of 0.0233, indicating a period of increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-17969
Vulnerability details
Multiple vulnerabilities in Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an unauthenticated, remote attacker to conduct cross-site request forgery (CSRF) attacks that perform arbitrary actions on an affected device. Note: "Cisco Expressway Series" refers to…
more
Cisco Expressway Control (Expressway-C) devices and Cisco Expressway Edge (Expressway-E) devices. For more information about these vulnerabilities, see the Details ["#details"] section of this advisory.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Awareness training educates users on avoiding untrusted links and actions that can be exploited via CSRF.
Requiring user re-entry of credentials for sensitive actions prevents automated forgery of requests without active user participation.
Security testing regimens explicitly include checks for missing or ineffective anti-CSRF protections in web applications.
Detects anomalous request patterns consistent with cross-site request forgery.