Vulnerability in Cisco Webex cloud service exposed government authorities, companies

The vulnerability that allowed a German journalist to discover links to video conference meetings held by Bundeswehr (the German armed forces) and the Social Democratic Party of Germany (SPD) via their self-hosted Cisco Webex instances similarly affected the Webex cloud service.

The Cisco Webex Meetings cloud vulnerability

The vulnerability affected all organizations “that have a domain such as organisationsname.webex.com,” according to Netzbegrünung, an association that organizes the digital infrastructure for Bündnis 90/Die Grünen (a German green political party).

Discovered by Netzbegrünung and verified by Eva Wolfangel with ZEIT Online, the bug allowed the discovery of information about past and future Webex meetings involving:

• The country’s Federal Office for Information Security (BSI), the Bundestag (i.e., the parliament), various ministries, the Federal Chancellery, and other federal and state offices
• Authorities and companies – big and small – in Germany, the Netherlands, Italy, Austria, France, Switzerland, Ireland and Denmark

Unlike the Bundeswehr and the SPD, these organizations use Webex in the cloud, Wolfangel said.

“The cause of the vulnerability is again [the fact that] Cisco does not use random numbers to assign numbers used for meetings,” Netzbegrünung explained.

“This time it affects a different number than the on-premise system of the Bundeswehr, but the counting method is similar. In combination with an incorrectly configured view for mobile devices, it was then possible to retrieve a huge amount of metadata with a simple web browser – and this for months, probably years.”

Tricks to gain access to Webex meetings

Meeting information and metadata may be of interest to spies and criminals, Wolfangel noted, as they might profit from knowing who is discussing which things with whom, when, and how long the discussion lasted.

But it is unknown whether the vulnerability has been previously exploited by malicious individuals or groups.

As Wolfangel established, it was also possible to dial in on some of the discovered meetings, even if passwords were required to (video) participate via browser or Webex app. Apparently, those who (audio) join via phone and don’t know their “participant number” can simply press the hash key and be allowed in.

She successfully used this trick to join a video meeting of the Federal Office for Migration and Refugees (BAMF) and Barmer Krankenkasse (a health insurance firm), though the other participants noticed that an unknown number has joined the conversation.

When she previously joined a Webex meeting of the SPD where all the other participants were connected by phone, she said she went “partly unnoticed”.

Cisco implements fixes

“In early May 2024, Cisco identified bugs in Cisco Webex Meetings that we now believe were leveraged in targeted security research activity allowing unauthorized access to meeting information and metadata in Cisco Webex deployments for certain customers hosted in our Frankfurt data center. These bugs have been addressed and a fix has been fully implemented worldwide as of May 28, 2024,” Cisco confirmed on Tuesday.

“Cisco has notified those customers who had observable attempts to access meeting information and metadata based on available logs. Since the bugs were patched, Cisco has not observed any further attempts to obtain meeting data or metadata leveraging the bugs.”

Netzbegrünung board member Max Pfeuffer confirmed for Help Net Security that the method they used to find the meetings no longer works.