Cisco fixes WebEx bugs allowing ‘ghost’ attackers in meetings

Posted by & filed under Ειδοποιήσεις.

Cisco has fixed today three Webex Meetings security vulnerabilities that would have allowed unauthenticated remote attackers to join ongoing meetings as ghost participants.

Cisco Webex is an online meeting and video conferencing software that can be used to schedule and join meetings. It also provides users with presentation, screen sharing, and recording capabilities.

Cisco’s remote meetings platform has seen a 451% usage increase over four months due to the current COVID-19 pandemic, with roughly 4 million meetings being hosted in a single day for 324 million users at its peak.

Ghost attackers in your Webex meeting

Threat actors abusing the now patched flaws could become ‘ghost’ users capable of joining a meeting without being detected as IBM researchers discovered while analyzing Cisco’s collaboration tool for vulnerabilities.

‘Ghost’ users are meeting participants that can’t be seen in the user list and were not invited to the meeting, but they can hear, speak, and share media within the meeting.

The three bugs also enabled attackers to remain in the Webex meeting and maintain a bidirectional audio connection even after admins would remove them and access Webex users’ information like email addresses and IP addresses from the meeting room lobby.

The vulnerabilities exist in the Cisco Webex Meetings and Cisco Webex Meetings Server, and they “work by exploiting the handshake process that Webex uses to establish a connection between meeting participants.”

When successfully exploited, IBM researchers said that the bugs would have allowed attackers to:

  • Join a Webex meeting as a ghost without being seen on the participant list with full access to audio, video, chat, and screen sharing capabilities (CVE-2020-3419)
  • Stay in a Webex meeting as a ghost after being expelled from it, maintaining audio connection (CVE-2020-3471)
  • Gain access to information on meeting attendees – including full names, email addresses, and IP addresses – from the meeting room lobby, even without being admitted to the call (CVE-2020-3441)

Security updates available

The researchers were able to successfully demonstrate attacks abusing these Webex bugs on Windows, macOS, and the iOS version of Webex Meetings applications and Webex Room Kit appliance.

Cisco has addressed the vulnerabilities by patching cloud-based Cisco Webex Meetings sites and releasing security updates for on-premises software such as the Cisco Webex Meetings mobile app and the Cisco Webex Meetings Server software.

Users are advised to immediately update to the latest Webex version to secure meetings from attackers that would attempt to exploit them and join as ghost users.

IBM’s research team has also made a video demo with vulnerability details and tips on what Webex Meetings can do to protect themselves from attacks.


Video Source: IBM News YouTube Channel

Video Link:


Cisco has also addressed multiple critical vulnerabilities in its Cisco IoT Field Network Director (CVE-2020-3531), Cisco DNA Spaces Connector (CVE-2020-3586), Cisco Integrated Management Controller (CVE-2020-3470) products.

Following successful exploitation, unauthenticated remote attackers could execute arbitrary commands (with root privileges in some cases) and access the back-end database of compromised systems.


The information contained in this website is for general information purposes only. The information is gathered from BLEEPING COMPUTER, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.