Security Experts:

Connect with us

Hi, what are you looking for?



Cisco Webex Vulnerability Allows Ghost Access to Meetings

Cisco this week announced the availability of software updates that address multiple vulnerabilities across several products, including bugs leading to unauthorized access to Webex meetings.

Cisco this week announced the availability of software updates that address multiple vulnerabilities across several products, including bugs leading to unauthorized access to Webex meetings.

Identified by IBM’s security researchers, the Webex flaws could allow attackers to join meetings as ghosts (without being seen by other participants), remain in the meeting as a ghost after being expelled, and access information on meeting attendees (names, email addresses and IP addresses).

Tracked as CVE-2020-3419, the first of the issues impacts both Webex Meetings and Webex Meetings Server and is the result of “improper handling of authentication tokens by a vulnerable Webex site.”

An attacker with access to join a meeting (including meeting join links and passwords) could abuse the flaw by sending crafted requests to a vulnerable Webex Meetings site. This would allow the attacker to join the meeting with full access to audio, chat, video, and screen sharing, but without appearing in the participant list.

IBM’s researchers explain that a “beep” would be the only indicator that the attacker has joined the meeting, but that this indicator might be disabled for large meetings, thus “allowing the ghost to enter perfectly stealthily.”

No workarounds are available for the bug and all Webex Meetings sites prior to November 17, 2020, are affected, Cisco explains. Webex Meetings 40.10.9 and earlier for iOS and Android are affected too, as well as Webex Meetings Server 3.0MR Security Patch 4 and earlier and 4.0MR3 Security Patch 3 and earlier.

Cisco rolled out patches for the bug on November 17. Given that Webex Meetings sites are cloud-based, no user action is required.

The same update also patches CVE-2020-3441 and CVE-2020-3471, vulnerabilities that could lead to the disclosure of sensitive information from the meeting room lobby or could allow an attacker to maintain bidirectional audio after being expelled from a Webex session, respectively.

“These vulnerabilities work by exploiting the handshake process that Webex uses to establish a connection between meeting participants. […] A malicious actor can become a ghost by manipulating […] messages during the handshake process between the Webex client application and the Webex server back-end to join or stay in a meeting without being seen by others,” IBM explains.

A fourth vulnerability addressed in Webex this week could allow a remote attacker to launch cross-site scripting (XSS) attacks without authentication.

Cisco patched 14 other vulnerabilities this week, including three critical flaws, three high-severity bugs, and 8 medium-risk vulnerabilities.

The most important of these are CVE-2020-3470 (CVSS score 9.8) – remote code execution issue in the API subsystem of Cisco Integrated Management Controller (IMC); CVE-2020-3586 (CVSS score 9.4) – arbitrary command execution in the web-based management interface of DNA Spaces Connector; and CVE-2020-3531 (CVSS score 9.8) – access to the back-end database of IoT Field Network Director (FND) (the bug resides in the REST API).

The flaws assessed with a high severity rating include CVE-2020-3367 – command injection and privilege escalation in Secure Web Appliance (formerly Web Security Appliance); CVE-2020-26072 – insufficient authorization in the SOAP API of IoT FND, leading to access to and manipulation of information; and CVE-2020-3392 – improper authentication of API calls in IoT FND, leading to information leakage.

Cisco also patched an unauthorized token generation bug in Telepresence CE and RoomOS software, bypass of security controls in Expressway software, and multiple medium risk issues in IoT FND, including cross-site scripting (XSS), improper access control, information disclosure, insufficient input validation, unprotected storage credentials, and file overwrite.

Further information on all of these vulnerabilities can be found on Cisco’s security portal.

Related: Cisco Patches Publicly Disclosed Vulnerabilities in Security Manager

Related: Cisco Patches 17 High-Severity Vulnerabilities in Security Appliances

Related: Cisco Patches Actively Exploited Flaws in Carrier-Grade Routers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet