- Cisco found and set three vulnerabilities, including a high severity
- The high severity problem was found in the Cisco Webex application
- Allowed criminals to execute commands remotely
Cisco has patched a high severity vulnerability on its webx videoconference platform that allowed the threat actors to assemble the remote code execution attacks (RCE) against exposed final points.
The error was discovered in the personalized URL analyzer of a Cisco Webex application and is described as a vulnerability of “insufficient input validation.”
“An attacker could exploit this vulnerability by persuading a user to click on a meeting invitation link designed and download arbitrary files,” says the NVD page of the error. “A successful exploit could allow the attacker to execute arbitrary commands with the privileges of the target user.”
Without revolution
Vulnerability is tracked as CVE-2024-20236, and a gravity score of 8.8/10 (high) was assigned.
Cisco also explained that vulnerability is present in all previous versions of the product, regardless of the operating system in which or in system configurations.
The giant of the networks also said that there were no solutions for error, so installing update is the only way to mitigate the risk.
While the most severe, it is not the only recently addressed vulnerability. The company also set two more defects, CVE-2025-20178 (6.0/10) and CVE-2025-20150 (5.3/10).
The first is a privileged escalation failure in the Secure Networks Analytics website, and allows threat actors to execute arbitrary controls such as ROOT, with administration credentials.
The latter was found on a Nexus board and allows the threat actors to list the accounts of LDAP users remotely, separating valid accounts from the invalids.
The good news is that vulnerabilities are not yet exploited in Bleepingcompter’s wild reports, citing the analysis of the company’s product security incidents (PSirt).
The Cisco team, both software and hardware, are popular both in the company and in consumer homes. That makes them a main objective for threat actors, both sponsored by the State and profits.
Through Bleepingcomputer
