A new critical remote code execution vulnerability flaw has been discovered in Cisco’s WebEx online and video collaboration software. The vulnerability can allow malicious attackers to remotely execute commands through a component of the WebEx client even when WebEx does not listen for remote connections.
Lane Thames, Senior Security Researcher at Tripwire:
“This is an interesting vulnerability. I wouldn’t necessarily consider it earth-shattering, however, organizations might want to patch this quickly. Why? Because this vulnerability will be leveraged by malicious insiders (insider threats) and targeted attacks. The vulnerability requires a malicious actor to already have an account on the machine or on the domain. If an attacker has this foothold already within an organization’s network, this vulnerability could be used to gain or escalate privileges on very sensitive machines, such as those used by senior executives and such. Attackers focused on intellectual property theft and corporate espionage will find this vulnerability very useful, especially considering how common WebEx is within enterprise organizations.”