Although Cisco’s Product Security Incident Response Team (PSIRT) states they are “not aware of any public announcements or malicious use of the vulnerability,” security experts warn that weaponization could happen quickly now that the vulnerability has been disclosed. According to Cisco’s advisory published on April 16, 2025, the vulnerability affects specific versions of the Cisco Webex App across all operating systems and configurations. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The vulnerability was discovered during Cisco’s internal security testing, suggesting it was identified and patched before malicious actors could discover and exploit it in the wild. The security flaw assigned a CVSS base score of 8.8 (High), exists in the Cisco Webex App’s custom URL parser component. Cisco has released security updates that address the vulnerability. An attacker begins by crafting a malicious Webex meeting URL that exploits the parser vulnerability. The complete CVSS vector string for this vulnerability indicates that exploitation requires user interaction but can compromise confidentiality, integrity, and availability completely. When unsuspecting users click on this weaponized meeting link, the vulnerable Webex client processes it without proper validation, allowing the download of arbitrary files. The high-severity flaw, tracked as CVE-2025-20236, has prompted Cisco to release emergency patches for affected versions of the popular collaboration platform. This vulnerability is particularly dangerous because it can lead to remote code execution with the privileges of the targeted user. The company notes that no workarounds are available for this vulnerability, making patching the only effective mitigation strategy.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 17 Apr 2025 05:40:09 +0000