Cisco Webex reports Client-Side remote code execution vulnerability
Take action: If you are using Cisco Webex App versions 44.6 and release 44.7 on any platform, either uninstall it and install a latest version, or reach out to your Webex admin for an updated version. This advice should have been a simple "just update" but the updated versions are not just available to anyone - you have to jump through some hoops.
Learn More
Cisco has released security updates to address a high-severity vulnerability in the Cisco Webex App that allows unauthenticated attackers to execute arbitrary code on a victim's system through malicious meeting invite links.
The vulnerability is tracked as CVE-2025-20236 (CVSS score 8.8) in the custom URL parser of Cisco Webex App. It stems from insufficient input validation when processing meeting invite links. Attackers can exploit this vulnerability through social engineering tactics by persuading users to click on specially crafted meeting invite links that download arbitrary files. If successful, this allows the attacker to execute arbitrary commands with the same privileges as the targeted user.
According to Cisco's advisory this vulnerability affects the Cisco Webex App across all operating systems and system configurations and impacts Cisco Webex App release 44.6 and release 44.7.
Cisco has confirmed that releases 44.5 and earlier, as well as 44.8 and later, are not vulnerable to this security flaw.
Cisco has provided the following fixes:
- Cisco Webex App release 44.6: update to version 44.6.2.30589
- Cisco Webex App release 44.7: users must migrate to a fixed release
Cisco has emphasized that there are no workarounds available to address this vulnerability, making it essential for users to install the available security updates. Organizations with service contracts can obtain these updates through their usual update channels, while those without service contracts can contact the Cisco Technical Assistance Center (TAC).
