Detections
Analytics
Cisco Webex App Client-Side RCE (cisco-sa-webex-app-client-rce-ufyMMYLC)
high Nessus Plugin ID 234620
Synopsis
The remote device is missing a vendor-supplied security patch.Description
According to its self-reported version, Cisco Webex App Client-Side Remote Code Execution is affected by a vulnerability.- A vulnerability in the custom URL parser of Cisco Webex App could allow an unauthenticated, remote attacker to persuade a user to download arbitrary files, which could allow the attacker to execute arbitrary commands on the host of the targeted user. This vulnerability is due to insufficient input validation when Cisco Webex App processes a meeting invite link. An attacker could exploit this vulnerability by persuading a user to click a crafted meeting invite link and download arbitrary files. A successful exploit could allow the attacker to execute arbitrary commands with the privileges of the targeted user. (CVE-2025-20236)
Please see the included Cisco BIDs and Cisco Security Advisory for more information.
Solution
Upgrade to the relevant fixed version referenced in Cisco bug ID CSCwn07296See Also
Plugin Details
Severity: High
ID: 234620
File Name: cisco-sa-webex-app-client-rce-ufyMMYLC.nasl
Version: 1.1
Type: local
Family: CISCO
Published: 4/18/2025
Updated: 4/18/2025
Supported Sensors: Nessus
Risk Information
VPR
Risk Factor: High
Score: 7.4
CVSS v2
Risk Factor: Critical
Base Score: 10
Temporal Score: 7.4
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS Score Source: CVE-2025-20236
CVSS v3
Risk Factor: High
Base Score: 8.8
Temporal Score: 7.7
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:cisco:webex_app
Required KB Items: installed_sw/Webex App
Exploit Ease: No known exploits are available
Patch Publication Date: 4/16/2025
Vulnerability Publication Date: 4/16/2025
Reference Information
CVE: CVE-2025-20236