Security News > 2024 > June > Vulnerability in Cisco Webex cloud service exposed government authorities, companies
The vulnerability that allowed a German journalist to discover links to video conference meetings held by Bundeswehr and the Social Democratic Party of Germany via their self-hosted Cisco Webex instances similarly affected the Webex cloud service.
"The cause of the vulnerability is again Cisco does not use random numbers to assign numbers used for meetings," Netzbegrünung explained.
As Wolfangel established, it was also possible to dial in on some of the discovered meetings, even if passwords were required to participate via browser or Webex app.
"In early May 2024, Cisco identified bugs in Cisco Webex Meetings that we now believe were leveraged in targeted security research activity allowing unauthorized access to meeting information and metadata in Cisco Webex deployments for certain customers hosted in our Frankfurt data center. These bugs have been addressed and a fix has been fully implemented worldwide as of May 28, 2024," Cisco confirmed on Tuesday.
"Cisco has notified those customers who had observable attempts to access meeting information and metadata based on available logs. Since the bugs were patched, Cisco has not observed any further attempts to obtain meeting data or metadata leveraging the bugs."
Netzbegrünung board member Max Pfeuffer confirmed for Help Net Security that the method they used to find the meetings no longer works.
News URL
https://www.helpnetsecurity.com/2024/06/05/cisco-webex-cloud-vulnerability/
Related news
- Cisco Issues Urgent Fix for ASA and FTD Software Vulnerability Under Active Attack (source)
- AWS Cloud Development Kit Vulnerability Exposes Users to Potential Account Takeover Risks (source)
- Cisco Releases Patch for Critical URWB Vulnerability in Industrial Wireless Systems (source)
- Critical vulnerability in Cisco industrial wireless access points fixed (CVE-2024-20418) (source)