// For flags

CVE-2018-15442

Cisco Webex Meetings Desktop App Update Service Command Injection Vulnerability

Severity Score

7.8
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

2
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

A vulnerability in the update service of Cisco Webex Meetings Desktop App for Windows could allow an authenticated, local attacker to execute arbitrary commands as a privileged user. The vulnerability is due to insufficient validation of user-supplied parameters. An attacker could exploit this vulnerability by invoking the update service command with a crafted argument. An exploit could allow the attacker to run arbitrary commands with SYSTEM user privileges. While the CVSS Attack Vector metric denotes the requirement for an attacker to have local access, administrators should be aware that in Active Directory deployments, the vulnerability could be exploited remotely by leveraging the operating system remote management tools.

Una vulnerabilidad en el servicio de actualizaciones de Cisco Webex Meetings Desktop App para Windows podría permitir que un atacante local autenticado ejecute comandos arbitrarios como usuario privilegiado. Esta vulnerabilidad se debe a una validación insuficiente de los parámetros introducidos por el usuario. Un atacante podría explotar esta vulnerabilidad invocando el comando específico del servicio de actualizaciones con un argumento manipulado. Su explotación con éxito podría permitir que el atacante ejecute comandos arbitrarios con privilegios de usuario SYSTEM. Aunque la métrica del vector de ataque de CVSS denota los requisitos para que un atacante tenga acceso local, los administradores deberían ser conscientes de que, en las implementaciones de Active Directory, la vulnerabilidad podría ser explotada remotamente aprovechando las herramientas de gestión remota del sistema operativo.

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
Low
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2018-08-17 CVE Reserved
  • 2018-10-24 CVE Published
  • 2024-09-16 CVE Updated
  • 2024-09-16 First Exploit
  • 2024-11-08 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Cisco
Search vendor "Cisco"
Webex Meetings Desktop
Search vendor "Cisco" for product "Webex Meetings Desktop"
< 33.6.4
Search vendor "Cisco" for product "Webex Meetings Desktop" and version " < 33.6.4"
windows
Affected
Cisco
Search vendor "Cisco"
Webex Productivity Tools
Search vendor "Cisco" for product "Webex Productivity Tools"
>= 32.6.0 < 33.0.6
Search vendor "Cisco" for product "Webex Productivity Tools" and version " >= 32.6.0 < 33.0.6"
-
Affected