CERT warns of Cisco WebEx vulnerability

Shutterstock image: open lock.

Cisco has patched its WebEx conferencing plug-ins for Chrome and Firefox because a newly discovered flaw could allow outsiders to take control of a system.

In a July 17 advisory on its website, the company called the vulnerability “critical,” and its “common vulnerability scoring” system gave the bug a 9.6 out of a possible 10 threat score.

The U.S. Computer Emergency Readiness Team also issued a notice concerning Cisco’s security update on July 17, as Cisco issued its advisory.

The bug was originally detected by Project Zero researcher Tavis Ormandy and Divergent Security’s Cris Neckar on July 6. The patch was publicly released on July 17.

“A vulnerability in Cisco WebEx browser extensions for Google Chrome and Mozilla Firefox could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the affected browser on an affected system,” Cisco’s notification said. “This vulnerability affects the browser extensions for Cisco WebEx Meetings Server, Cisco WebEx Centers (Meeting Center, Event Center, Training Center, and Support Center), and Cisco WebEx Meetings when they are running on Microsoft Windows.”

The company said its WebEx browser extensions for Mac or Linux, its WebEx on Microsoft Edge or Internet Explorer, and its WebEx Productivity Tools are not vulnerable.

CERT’s advisory, along with its notification of the available patches, also said the flaw in the Chrome and Firefox browser extensions could be used by a remote user to take control of a system.

Cisco sells Federal Risk and Authorization Management Program-approved web conferencing and hosted collaboration solutions to the federal government.

A company spokeswoman told FCW in an email she couldn’t provide an immediate comment on whether the vulnerability affected those products.  She said, however, that all Chrome and Firefox browser extensions running on Windows are affected, and customers should update immediately.

For most users, the spokeswoman said, the patched versions will automatically install during their next WebEx session, and added that fixed versions are available for systems that need manual updates by an administrator.

For users whose systems don’t allow automatic updates and have not yet been patched by administrators, the security advisory outlines alternate browser options and other security measures for immediate consideration.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at or follow him on Twitter at @MRockwell4.


  • Defense
    The U.S. Army Corps of Engineers and the National Geospatial-Intelligence Agency (NGA) reveal concept renderings for the Next NGA West (N2W) campus from the design-build team McCarthy HITT winning proposal. The entirety of the campus is anticipated to be operational in 2025.

    How NGA is tackling interoperability challenges

    Mark Munsell, the National Geospatial-Intelligence Agency’s CTO, talks about talent shortages and how the agency is working to get more unclassified data.

  • Veterans Affairs
    Veterans Affairs CIO Jim Gfrerer speaks at an Oct. 10 FCW event (Photo credit: Troy K. Schneider)

    VA's pivot to agile

    With 10 months on the job, Veterans Affairs CIO Jim Gfrerer is pushing his organization toward a culture of constant delivery.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.