Cisco on Tuesday released a security advisory after the media reported that the German government’s Webex meetings were exposed, potentially allowing adversaries to obtain highly sensitive information.
German publication Zeit Online [paywalled content] reported on May 4 that vulnerabilities in the German government’s implementation of the Cisco Webex video conferencing software could have been exploited to obtain links to internal meetings and the meeting rooms of high-ranking officials.
The German government has been using the on-premises version of Webex to store data on local servers and ensure that it would not leave the country.
However, researchers discovered what appears to be an insecure direct object reference (IDOR) vulnerability that could have been exploited to obtain the links to thousands of internal Webex meetings simply by changing the numbers in a meeting link.
This exposed the topic, time and participants of a meeting, including for sensitive sessions discussing military activities.
In addition, the personal meeting rooms of high-ranking officials were not protected by passwords, allowing adversaries to easily access them and potentially obtain classified information.
In early March, Russia made public the audio recording of a German military meeting held on the Webex platform, but it’s unclear if the incidents are related.
In response to the discovery of the vulnerabilities, the German government blocked access to the exposed meeting rooms and took its Webex instance offline.
Cisco addressed the incident in a security advisory published on June 4, saying that it has released patches, but continues to be on the lookout for unauthorized activity.
“In early May 2024, Cisco identified bugs in Cisco Webex Meetings that we now believe were leveraged in targeted security research activity allowing unauthorized access to meeting information and metadata in Cisco Webex deployments for certain customers hosted in our Frankfurt data center. These bugs have been addressed and a fix has been fully implemented worldwide as of May 28, 2024,” Cisco said.
“Cisco has notified those customers who had observable attempts to access meeting information and metadata based on available logs. Since the bugs were patched, Cisco has not observed any further attempts to obtain meeting data or metadata leveraging the bugs,” it added.
Related: German Foreign Minister Says Russia will Face Consequences for Monthslong Cyber Espionage
Related: Germany Recalls Its Ambassador in Russia for a Week in Protest Over a Hacker Attack
