Millions of Webex users on Windows are susceptible to an arbitrary code execution flaw that could potentially allow hackers to gain access to a user’s system and exploit system level privileges. Cisco has released a patch and has advised users to update their application immediately.
Cisco recently releasedOpens a new window patches for high severity vulnerabilities, including a fix for Webex Meetings Desktop Application for Windows. The vulnerability, tracked as CVE-2020-3588Opens a new window , can allow arbitrary code execution on a remote device with Webex virtual desktop app used for virtualized channel messaging.
The high-severity flaw (CVSS with a score of 7.3) can only be exploited when the Webex desktop app for Windows is deployed in a virtual desktop environment. It also affects the app in a hosted virtual desktop (HVD) environment when configured to use the Cisco Webex Meetings virtual desktop plug-in for thin clients.
Attackers can exploit the target user’s account to run arbitrary malicious code. â€œA local attacker with limited privileges could exploit this vulnerability by sending malicious messages to the affected software by using the virtualization channel interface,â€ explainedOpens a new window Cisco. â€œA successful exploit could allow the attacker to modify the underlying operating system configuration, which could allow the attacker to execute arbitrary code with the privileges of a targeted user.â€
CVE-2020-3588 exists due to improper validation of messages in the Webex desktop client, and the networking giant has issued a patch for this. All Webex versions for Windows prior to releases 40.6.9 and 40.8.9 are vulnerable to CVE-2020-3588, and should be patched immediately.
So far, the bug remains unexploited, according to the Cisco Product Security Incident Response Team (PSIRT).
Like its competitors, Zoom and Microsoft Teams, Webex’s use also surged to support remote work amid global lockdowns. As a result, millions of users who have not updated their Webex clients are at risk of cyberattacks.
Remote workers using Webex Meetings are advised to immediately update the Webex Meetings Virtual Desktop for Windows to mitigate the threats arising from CVE-2020-3588.