- Cisco found and fixed three vulnerabilities, including a high-severity one
- The high-severity issue was found in the Cisco Webex app
- It allowed criminals to run commands remotely
Cisco has patched a high-severity vulnerability in its Webex video conferencing platform which allowed threat actors to mount remote code execution (RCE) attacks against exposed endpoints.
The bug was discovered in the custom URL parser of a Cisco Webex app and is described as an “insufficient input validation” vulnerability.
“An attacker could exploit this vulnerability by persuading a user to click a crafted meeting invite link and download arbitrary files,” the bug’s NVD page reads. “A successful exploit could allow the attacker to execute arbitrary commands with the privileges of the targeted user.”
No revolution
The vulnerability is tracked as CVE-2024-20236, and was assigned a severity score of 8.8/10 (high).
Cisco further explained that the vulnerability is present in all older versions of the product, regardless of the OS it’s running on, or system configurations.
The networking giant also said there were no workarounds for the bug, so installing the update is the only way to mitigate the risk.
While the most severe, it’s not the only vulnerability Cisco recently addressed. The company also fixed two more flaws, CVE-2025-20178 (6.0/10), and CVE-2025-20150 (5.3/10).
The former is a privilege escalation flaw in Secure Networks Analytics’ web-based management interface, and allows threat actors to run arbitrary controls as root, with admin credentials.
The latter was found in a Nexus Dashboard, and allows threat actors to enumerate LDAP user accounts remotely, separating valid accounts from the invalid ones.
The good news is that the vulnerabilities are not yet being exploited in the wild, BleepingComputer reports, citing analysis from the company’s Product Security Incident Response Team (PSIRT).
Cisco’s equipment, both software and hardware, are popular in both the enterprise and in consumer households. That makes them a prime target for threat actors, both state-sponsored and profit-oriented.
Via BleepingComputer
Leave a comment