Security Experts:

Connect with us

Hi, what are you looking for?



Cisco Webex Vulnerability Allows Ghost Access to Meetings

Cisco this week announced the availability of software updates that address multiple vulnerabilities across several products, including bugs leading to unauthorized access to Webex meetings.

Cisco this week announced the availability of software updates that address multiple vulnerabilities across several products, including bugs leading to unauthorized access to Webex meetings.

Identified by IBM’s security researchers, the Webex flaws could allow attackers to join meetings as ghosts (without being seen by other participants), remain in the meeting as a ghost after being expelled, and access information on meeting attendees (names, email addresses and IP addresses).

Tracked as CVE-2020-3419, the first of the issues impacts both Webex Meetings and Webex Meetings Server and is the result of “improper handling of authentication tokens by a vulnerable Webex site.”

An attacker with access to join a meeting (including meeting join links and passwords) could abuse the flaw by sending crafted requests to a vulnerable Webex Meetings site. This would allow the attacker to join the meeting with full access to audio, chat, video, and screen sharing, but without appearing in the participant list.

IBM’s researchers explain that a “beep” would be the only indicator that the attacker has joined the meeting, but that this indicator might be disabled for large meetings, thus “allowing the ghost to enter perfectly stealthily.”

No workarounds are available for the bug and all Webex Meetings sites prior to November 17, 2020, are affected, Cisco explains. Webex Meetings 40.10.9 and earlier for iOS and Android are affected too, as well as Webex Meetings Server 3.0MR Security Patch 4 and earlier and 4.0MR3 Security Patch 3 and earlier.

Cisco rolled out patches for the bug on November 17. Given that Webex Meetings sites are cloud-based, no user action is required.

The same update also patches CVE-2020-3441 and CVE-2020-3471, vulnerabilities that could lead to the disclosure of sensitive information from the meeting room lobby or could allow an attacker to maintain bidirectional audio after being expelled from a Webex session, respectively.

“These vulnerabilities work by exploiting the handshake process that Webex uses to establish a connection between meeting participants. […] A malicious actor can become a ghost by manipulating […] messages during the handshake process between the Webex client application and the Webex server back-end to join or stay in a meeting without being seen by others,” IBM explains.

A fourth vulnerability addressed in Webex this week could allow a remote attacker to launch cross-site scripting (XSS) attacks without authentication.

Cisco patched 14 other vulnerabilities this week, including three critical flaws, three high-severity bugs, and 8 medium-risk vulnerabilities.

The most important of these are CVE-2020-3470 (CVSS score 9.8) – remote code execution issue in the API subsystem of Cisco Integrated Management Controller (IMC); CVE-2020-3586 (CVSS score 9.4) – arbitrary command execution in the web-based management interface of DNA Spaces Connector; and CVE-2020-3531 (CVSS score 9.8) – access to the back-end database of IoT Field Network Director (FND) (the bug resides in the REST API).

The flaws assessed with a high severity rating include CVE-2020-3367 – command injection and privilege escalation in Secure Web Appliance (formerly Web Security Appliance); CVE-2020-26072 – insufficient authorization in the SOAP API of IoT FND, leading to access to and manipulation of information; and CVE-2020-3392 – improper authentication of API calls in IoT FND, leading to information leakage.

Cisco also patched an unauthorized token generation bug in Telepresence CE and RoomOS software, bypass of security controls in Expressway software, and multiple medium risk issues in IoT FND, including cross-site scripting (XSS), improper access control, information disclosure, insufficient input validation, unprotected storage credentials, and file overwrite.

Further information on all of these vulnerabilities can be found on Cisco’s security portal.

Related: Cisco Patches Publicly Disclosed Vulnerabilities in Security Manager

Related: Cisco Patches 17 High-Severity Vulnerabilities in Security Appliances

Related: Cisco Patches Actively Exploited Flaws in Carrier-Grade Routers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.