Critical RCE Bug in Cisco WebEx Browser Extensions Faces ‘Ongoing Exploitation’

cisco webex browser plug in

Users of the conferencing platform should update immediately.

A critical vulnerability in Cisco WebEx browser extensions that could allow unauthenticated remote code-execution (RCE) on targeted machines is being actively exploited in the wild.

The news comes just days after Cisco issued a flurry of 24 different patches for its IOS XE operating system and warned of an incomplete fix for two small business routers (RV320 and RV325).

WebEx is Cisco’s widely used conferencing platform, which takes a cloud-based approach to on-demand web- and videoconferencing. Browser extensions make it easier for users to join meetings and collaborate.

In exploiting this latest bug, attackers could execute arbitrary code with the privileges of the affected browser on Windows PCs that have specific browser extensions installed. The vulnerable extensions are for Cisco WebEx Meetings Server and Cisco WebEx Centers (Meeting Center, Event Center, Training Center and Support Center), according to an advisory.

“The vulnerability is due to a design defect in an application programing interface (API) response parser within the plugin,” Cisco said in the alert, issued Thursday.

The issue (CVE-2017-3823) can be easily exploited as well: An attacker needs only to convince an affected user to visit a booby-trapped web page or follow an attacker-supplied link with an affected browser. It appears that’s what’s happening now, according to the advisory.

The vulnerability was discovered in 2017 by Tavis Ormandy of Google, and Cisco subsequently released software updates for Google Chrome, Firefox and Internet Explorer, so users who haven’t should update immediately.

Versions prior to 1.0.7 of the Cisco WebEx Extension on Google Chrome, prior to 106 of the ActiveTouch General Plugin Container on Mozilla Firefox, prior to the first fixed version of the GpcContainer Class ActiveX control plugin on Internet Explorer, and prior to of the Download Manager ActiveX control plugin on Internet Explorer are affected.

Also on Thursday, Cisco updated its warning about a vulnerability in the web-based management interface of two small-business routers. The Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers have a bug that could allow an unauthenticated, remote attacker to retrieve sensitive information. Specifically, an attacker could download a router’s configuration or detailed diagnostic information, which could in turn be used to compromise it.

“The vulnerability is due to improper access controls for URLs,” Cisco explained in its advisory for the vulnerability. “An attacker could exploit this vulnerability by connecting to an affected device via HTTP or HTTPS and requesting specific URLs.”

The initial fix is incomplete, Cisco warned, adding that it’s working on an updated firmware. However, it subsequently added a mitigation recommendation to the mix:

“If the Remote Management feature is enabled, Cisco recommends disabling it to reduce exposure,” Cisco said. “The feature setting is under Firewall > General and is disabled by default. This will disable the web-based management interface on the WAN IP address, which is reachable via the WAN ports. The web-based management interface will continue to be available on the LAN IP address, which is reachable via the LAN ports.”

The issue affects Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers running firmware releases and later.

Don’t miss the free replay of our Threatpost webinar, “Exploring the Top 15 Most Common Vulnerabilities with HackerOne and GitHub.”

Vulnerability experts Michiel Prins, co-founder of webinar sponsor HackerOne, and Greg Ose, GitHub’s application security engineering manager, join Threatpost editor Tom Spring to discuss what vulnerability types are most common in today’s software, and what kind of impact they would have on organizations if exploited.




Suggested articles


  • Mike Brandt on

    You do realize this was a vulnerability from 2017, right?
    • Tara Seals on

      Yes, they updated the fixes -- I'll clarify.
  • Aric on

    This bug was originally reported in January. The "new" news that was in Cisco's update is that the Cisco Product Security Incident Response Team (PSIRT) has been notified of ongoing, but limited, exploitation of this vulnerability. The vulnerability isn't new; just the limited information about ongoing exploitation.
  • James on

    Webex being one of the few that actually needs an extension to open vc links seamlessly. It's clunky at best. So many better options out there
  • Kray on

    Your title is still completely misleading for Webex. This was fixed in a version that no longer exist back from 2017. As read people think this issue exist today in Webex and was not fixed.
    • Tara Seals on

      As of March 28, the bug is still out there and being actively exploited, as per Cisco's advisory.
  • Anonymous on

    There are a lot of companies that still run old versions of web browsers and never bother to update.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.