A vulnerability in Cisco Virtual TelePresence Server Software could allow an authenticated, local attacker to access the shell of the underlying operating system with the privilege level of the root user.
The vulnerability is due to undocumented privileged access through the serial connection, which is available via the vSphere controller. An attacker could exploit this vulnerability to obtain privileged access to the underlying operating system. The attacker would need to have administrative privileges on the vSphere controller. An exploit could allow the attacker to access the underlying operating system with the privileges of the root user. Cisco TelePresence Server Software for appliances is not affected by this vulnerability.
Cisco has confirmed the vulnerability and released software updates.
To exploit this vulnerability, an attacker must authenticate and have local access to the targeted system. These requirements may reduce the likelihood of a successful exploit.
Cisco indicates through the CVSS score that functional code exists; however, the code is not known to be publicly available.