Vulnerability Details : CVE-2014-0675
The Expressway component in Cisco TelePresence Video Communication Server (VCS) uses the same default X.509 certificate across different customers' installations, which makes it easier for remote attackers to conduct man-in-the-middle attacks against SSL sessions by leveraging the certificate's trust relationship, aka Bug ID CSCue07471.
Exploit prediction scoring system (EPSS) score for CVE-2014-0675
Probability of exploitation activity in the next 30 days: 0.37%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 69 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2014-0675
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
6.4
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:P/A:N |
10.0
|
4.9
|
NIST |
CWE ids for CVE-2014-0675
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-0675
-
http://tools.cisco.com/security/center/viewAlert.x?alertId=32540
Cisco TelePresence Video Communication Server Expressway Default SSL Certificate VulnerabilityVendor Advisory
-
http://www.securityfocus.com/bid/65101
Cisco TelePresence Video Communication Server Expressway Man in the Middle VulnerabilityThird Party Advisory;VDB Entry
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/90650
Cisco TelePresence Video Communication Server man-in-the-middle CVE-2014-0675 Vulnerability Report
-
http://www.securitytracker.com/id/1029682
Cisco TelePresence Video Communication Server Expressway Common SSL Certificate Lets Remote Users Conduct Man-in-the-Middle Attacks - SecurityTrackerThird Party Advisory;VDB Entry
-
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-0675
Cisco TelePresence Video Communication Server Expressway Default SSL Certificate VulnerabilityVendor Advisory
Products affected by CVE-2014-0675
- cpe:2.3:h:cisco:telepresence_video_communication_server:-:*:*:*:*:*:*:*