Cisco on Wednesday rolled out patches for 10 security flaws spanning multiple products, one of which is rated Critical in severity and could be weaponized to conduct absolute path traversal attacks.

The issues, tracked as CVE-2022-20812 and CVE-2022-20813, affect Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) and "could allow a remote attacker to overwrite arbitrary files or conduct null byte poisoning attacks on an affected device," the company said in an advisory.

CVE-2022-20812 (CVSS score: 9.0), which concerns a case of arbitrary file overwrite in the cluster database API, requires the authenticated, remote attacker to have Administrator read-write privileges on the application so as to be able to mount path traversal attacks as a root user.

"This vulnerability is due to insufficient input validation of user-supplied command arguments," the company said. "An attacker could exploit this vulnerability by authenticating to the system as an administrative read-write user and submitting crafted input to the affected command."

Successful exploitation of the flaw could enable the adversary to overwrite arbitrary files on the underlying operating system.

CVE-2022-20813 (CVSS score: 7.4), on the other hand, has been described as a null byte poisoning flaw arising due to improper certificate validation, which could be weaponized by an attacker to stage a man-in-the-middle (MitM) attack and gain unauthorized access to sensitive data.