Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Government

Cisco Patches Webex Bugs Following Exposure of German Government Meetings

Cisco has released a security advisory after researchers discovered that the German government’s Webex meetings were exposed.

Webex video conferencing hacking

Cisco on Tuesday released a security advisory after the media reported that the German government’s Webex meetings were exposed, potentially allowing adversaries to obtain highly sensitive information.

German publication Zeit Online [paywalled content] reported on May 4 that vulnerabilities in the German government’s implementation of the Cisco Webex video conferencing software could have been exploited to obtain links to internal meetings and the meeting rooms of high-ranking officials.  

The German government has been using the on-premises version of Webex to store data on local servers and ensure that it would not leave the country. 

However, researchers discovered what appears to be an insecure direct object reference (IDOR) vulnerability that could have been exploited to obtain the links to thousands of internal Webex meetings simply by changing the numbers in a meeting link. 

This exposed the topic, time and participants of a meeting, including for sensitive sessions discussing military activities. 

In addition, the personal meeting rooms of high-ranking officials were not protected by passwords, allowing adversaries to easily access them and potentially obtain classified information. 

In early March, Russia made public the audio recording of a German military meeting held on the Webex platform, but it’s unclear if the incidents are related.

In response to the discovery of the vulnerabilities, the German government blocked access to the exposed meeting rooms and took its Webex instance offline.

Advertisement. Scroll to continue reading.

Cisco addressed the incident in a security advisory published on June 4, saying that it has released patches, but continues to be on the lookout for unauthorized activity.

“In early May 2024, Cisco identified bugs in Cisco Webex Meetings that we now believe were leveraged in targeted security research activity allowing unauthorized access to meeting information and metadata in Cisco Webex deployments for certain customers hosted in our Frankfurt data center. These bugs have been addressed and a fix has been fully implemented worldwide as of May 28, 2024,” Cisco said.

“Cisco has notified those customers who had observable attempts to access meeting information and metadata based on available logs. Since the bugs were patched, Cisco has not observed any further attempts to obtain meeting data or metadata leveraging the bugs,” it added.

Related: German Foreign Minister Says Russia will Face Consequences for Monthslong Cyber Espionage

Related: Germany Recalls Its Ambassador in Russia for a Week in Protest Over a Hacker Attack

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.

Register

People on the Move

Gabriel Agboruche has been named Executive Director of OT and Cybersecurity at Jacobs.

Data security startup Reco adds Merritt Baer as CISO

Chris Pashley has been named CISO at Advanced Research Projects Agency for Health (ARPA-H).

More People On The Move

Expert Insights