CyberSecurity news
FlagThis
Sergiu Gatlan@BleepingComputer
//
A critical vulnerability, identified as CVE-2025-20236, has been discovered in the Cisco Webex App, posing a significant security risk to users. The vulnerability allows unauthenticated attackers to gain client-side remote code execution through maliciously crafted meeting invite links. The flaw stems from insufficient input validation within the app's custom URL parser, which processes these meeting invites. An attacker can exploit this weakness by tricking a user into clicking on a malicious link, which can then download arbitrary files and execute commands on the user's system with their privileges.
Cisco has acknowledged the vulnerability and released security updates to address the flaw. The affected versions include Webex App version 44.6, which has been fixed in version 44.6.2.30589. Users running version 44.7 are advised to migrate to a fixed release. Versions 44.5 and earlier, as well as 44.8 and later, are not vulnerable. The vulnerability has been assigned a high CVSS score of 8.8, reflecting its severe risk level.
Users and administrators are strongly urged to immediately check their Webex App version and apply the necessary patches to mitigate the risk of exploitation. Organizations relying on Cisco Webex for communication and collaboration are particularly at risk, as successful exploitation of this vulnerability could lead to unauthorized access to sensitive information, disruption of operations, and the potential spread of malware or ransomware within their networks. Cisco's Product Security Incident Response Team (PSIRT) has stated that, at the time of publication, they had not observed any malicious use or public exploitation of CVE-2025-20236.
ImgSrc: www.bleepstatic
References :
Cisco has acknowledged the vulnerability and released security updates to address the flaw. The affected versions include Webex App version 44.6, which has been fixed in version 44.6.2.30589. Users running version 44.7 are advised to migrate to a fixed release. Versions 44.5 and earlier, as well as 44.8 and later, are not vulnerable. The vulnerability has been assigned a high CVSS score of 8.8, reflecting its severe risk level.
Users and administrators are strongly urged to immediately check their Webex App version and apply the necessary patches to mitigate the risk of exploitation. Organizations relying on Cisco Webex for communication and collaboration are particularly at risk, as successful exploitation of this vulnerability could lead to unauthorized access to sensitive information, disruption of operations, and the potential spread of malware or ransomware within their networks. Cisco's Product Security Incident Response Team (PSIRT) has stated that, at the time of publication, they had not observed any malicious use or public exploitation of CVE-2025-20236.
ImgSrc: www.bleepstatic
Share:
References :
- securityonline.info: Cisco Patches CVE-2025-20236: Unauthenticated RCE Flaw in Webex App via Malicious Meeting Links
- The DefendOps Diaries: Understanding the Cisco Webex App Vulnerability: A Call to Action
- BleepingComputer: Cisco Webex bug lets hackers gain code execution via meeting links
- bsky.app: Cisco has released security updates for a high-severity Webex vulnerability that allows unauthenticated attackers to gain client-side remote code execution using malicious meeting invite links.
- www.bleepingcomputer.com: Cisco Webex bug lets hackers gain code execution via meeting links
- securityonline.info: Cisco Patches CVE-2025-20236: Unauthenticated RCE Flaw in Webex App via Malicious Meeting Links
Classification:
- HashTags: #Cisco #Webex #Vulnerability
- Company: Cisco
- Target: Webex Users
- Product: Webex
- Feature: Remote Code Execution
- Malware: CVE-2025-20236
- Type: Vulnerability
- Severity: High