Vulnerability testing specialists report the presence of a critical security flaw in some Cisco products, including Webex, the popular video conferencing platform. If exploited, the vulnerability could allow a remote hacker to execute commands on the target system.
The vulnerability was detected in the Webex
Video Mash web management interface, a feature that allows audio and video improving
during a videoconference. In the report, the researchers mention that
exploiting this flaw allows arbitrary command execution on the underlying Linux
system with root user privileges.
The report indicates that the flaw can be
exploited remotely; however, vulnerability testing experts mention that threat
actors exploiting this flaw must first be authenticated on the system. Besides,
before carrying out the attack they would require logging in to the web
interface of the affected system and send requests specifically designed for
The flaw exists because the Webex Video Mash web
interface does not correctly validate requests sent by the attacker, which
ultimately allows arbitrary commands execution. The vulnerability affects all
versions of this software prior to 2019.03.19.1956m. In addition, the flaw
received a score of 7.2/10 on the Common Vulnerability Scoring System (CVSS)
scale, so it is considered a high severity flaw.
The main risk that exploiting this flaw would
bring is the possibility of launching cross-site request forgery (XSRF)
attacks, vulnerability testing experts mention. It should be noted that these
attacks also depend on the launch of a social engineering campaign to trick
victims into having them visit websites operated by hackers and designed to
send forged requests.
The flaw was discovered by vulnerability testing
specialist Mehmet’nder Key and affects Cisco devices running vulnerable
versions of Cisco IOS or Cisco IOS XE Software earlier than 16.1.1 with HTTP
Server enabled. Shortly after receiving the vulnerability report, Cisco
acknowledged its existence and announced the release of a security update. In
addition, the company states that so far there are no known cases of
exploitation in real-world scenarios.
According to the International Institute of
Cyber Security (IICS), Cisco issued a total of 14 updates to correct multiple bugs
in its products, most of them average severity. Almost every report is related
to authentication bypass, privilege escalation on specific systems, among other
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.