Threat Watch

Cisco Patches Webex Video High-Severity Flaw Again

For the third time now, Cisco has released a patch for their high-severity flaw in their Webex platform after a bypass was created for the last fix. The privilege escalation flaw (CVE-2019-1674) could give an attacker unauthenticated SYSTEM user privileges and run arbitrary commands. The flaw exists in the Webex Meetings Desktop app that is used in windows OS. Cisco attempted to release a patch in October and again in November, neither being successful in fixing this flaw. The vulnerability comes from the update service failing to validate “version numbers” of new files. This basically gives an attacker elevated privileges by invoking the update service command with a crafted argument and folder. To exploit the vulnerability, an attacker needs to be authenticated as well as local.


Cisco has made a statement that they are committed to keeping their security issues as their top priorities. They have since published a security advisory for this flaw once more and released a new patch that addresses this issue. Users should update to the newest version of Webex Meetings Desktop for windows in an attempt to prevent this flaw from being exploited.