A severe vulnerability is detected in most popular Cisco Webex Meetings Suite sites and Cisco Webex Meetings Online sites could allow an unauthenticated attacker to join a password-protected video conferencing meeting. Attackers don’t need a meeting password in order to join the WebEx conferences.
According to Cisco, an attacker or unauthentic attendee can join the video conference meetings if they have meeting ID and a Webex mobile application for either iOS or Android – no authentication is required.
“The vulnerability is due to unintended meeting information exposure in a specific meeting join flow for mobile applications. An unauthorized attendee could exploit this vulnerability by accessing a known meeting ID or meeting URL from the mobile device’s web browser.The browser will then request to launch the device’s Webex mobile application.”
Cisco has detected the vulnerability in Webex Meetings Suite sites and Cisco Webex Meetings Online sites releases earlier than 39.11.5 and 40.1.3, are considered to be affected.
This vulnerability is fixed in versions 39.11.5 and later than 40.1.3 for Webex Meetings Suite sites and Cisco Webex Meetings Online sites. These page versions apply to client versions T32, T33, T39, and T40. The fix applies to Cisco Webex Meetings Suite sites and Cisco Webex Meetings sites only. Customers are not required to update the Cisco Webex Meetings mobile application or the Cisco Webex Meetings desktop application – stated by Cisco.
Cisco Systems Online Releases
Perform the following steps in order to determine the current release of Cisco Webex Meetings Suite site or Cisco Webex Meetings Online site:
- Log in to the Cisco Webex Meetings Suite site or Cisco Webex Meetings Online site.
- On the left side of the page, go to
- Next to Version Information hover over the circled i
- Check the value displayed next to Page version.
Contact LIFARS Immediately if Your Organization was Hit with a Data Breach