Cisco released a security update to address three high severity remote code execution vulnerabilities in Cisco Webex Network Recording Player.
The patch includes fixes for three remote code execution (RCE) vulnerabilities in the Cisco Webex Network Recording Player for Advanced Recording Format (ARF). Exploitation could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.
An excerpt of the threat from Cisco’s advisory:
“The vulnerabilities are due to improper validation of Webex recording files. An attacker could exploit these vulnerabilities by sending a user a link or email attachment containing a malicious file and persuading the user to open the file in the Cisco Webex Player. A successful exploit could allow the attacker to execute arbitrary code on an affected system.”
The RCE vulnerabilities are CVE-2018-15414, CVE-2018-15421 and CVE-2018-15422.