New Cisco Webex vulnerability allows hackers to take control of your network

Vulnerability testing specialists report the presence of a critical security flaw in some Cisco products, including Webex, the popular video conferencing platform. If exploited, the vulnerability could allow a remote hacker to execute commands on the target system.

The vulnerability was detected in the Webex Video Mash web management interface, a feature that allows audio and video improving during a videoconference. In the report, the researchers mention that exploiting this flaw allows arbitrary command execution on the underlying Linux system with root user privileges.

The report indicates that the flaw can be exploited remotely; however, vulnerability testing experts mention that threat actors exploiting this flaw must first be authenticated on the system. Besides, before carrying out the attack they would require logging in to the web interface of the affected system and send requests specifically designed for exploitation.

The flaw exists because the Webex Video Mash web interface does not correctly validate requests sent by the attacker, which ultimately allows arbitrary commands execution. The vulnerability affects all versions of this software prior to 2019.03.19.1956m. In addition, the flaw received a score of 7.2/10 on the Common Vulnerability Scoring System (CVSS) scale, so it is considered a high severity flaw.

The main risk that exploiting this flaw would bring is the possibility of launching cross-site request forgery (XSRF) attacks, vulnerability testing experts mention. It should be noted that these attacks also depend on the launch of a social engineering campaign to trick victims into having them visit websites operated by hackers and designed to send forged requests. 

The flaw was discovered by vulnerability testing specialist Mehmet’nder Key and affects Cisco devices running vulnerable versions of Cisco IOS or Cisco IOS XE Software earlier than 16.1.1 with HTTP Server enabled. Shortly after receiving the vulnerability report, Cisco acknowledged its existence and announced the release of a security update. In addition, the company states that so far there are no known cases of exploitation in real-world scenarios.

According to the International Institute of Cyber Security (IICS), Cisco issued a total of 14 updates to correct multiple bugs in its products, most of them average severity. Almost every report is related to authentication bypass, privilege escalation on specific systems, among other security issues.