A group of specialists from a cyber security training course has revealed the finding of a critical vulnerability in the desktop version of Cisco Webex Meetings, one of today’s most popular video conferencing tools. According to the report, successful exploitation of this flaw would allow threat actors to overwrite critical files on the target system.
Below is a brief overview of the reported flaw, in addition to its identification key and score according to the Common Vulnerability Scoring System (CVSS).
CVE-2020-3440: This flaw exists due to insufficient validation of URL parameters when managing external links within Webex Meetings. A remote threat actor can trick a user into a specially designed site, which could allow malicious hackers to overwrite system files.
This is a medium severity vulnerability and received a CVSS score of 5.7/10.
The flaw resides in the following versions of Cisco Webex Meetings for Windows operating desktops: 33.6.0, 33.6.4, 33.6.5, 33.6.6, 33.9.1, 39.5.24, 40.4.6, 40.6.
It is important to remember that the flaw could be exploited by an unauthenticated remote threat actor, although cyber security training specialists have not detected attempts to exploit actively or any malware variant related to this attack. Updates are now available, so users should only install the latest version of the video conferencing software.
