​Cisco has patched two critical bugs that could allow attackers to write files and run arbitrary code on its video conferencing and collaboration products.

Each bug affects the company’s Cisco Expressway series of collaboration servers and its TelePresence Video Communication Server (VCS).

The first vulnerability, CVE-2022-20754, allows a remote attacker to write files to the system. It lies in the products’ cluster database API, which doesn’t properly validate user input. This enables attackers to authenticate as an administrative user and then submit malicious input via a directory traversal attack. They could then write their own files with root privileges, including overwriting existing operating system files.

The second flaw, CVE-2022-20755, allows an attacker to execute arbitrary code by exploiting the products’ web management interface. An attacker could log in as an admin and then craft malicious input that would let them run their own code as root.

These vulnerabilities, each of which has a 9.0 CVSS score, do not depend on each other, Cisco said in its advisory. with customers being told to install both patches to protect their systems.

Cisco Expressway is a series of devices supporting collaboration with users outside of a company’s firewall. The system, which operates without the need for a VPN client, supports video, voice, and instant messaging. Users can also see each others’ presence information.

The TelePresence VCS is a server for managing video conferencing sessions. It works as an appliance on a customer’s premises or in the cloud, and supports communication between different video conferencing platforms.

TelePresence VCS has not been sold since December 2020. Cisco will stop issuing software maintenance patches for this product on December 29 this year and will stop providing support entirely at the end of 2023.