cbcvebase.
CVE-2018-15442
published 2018-10-24

CVE-2018-15442: A vulnerability in the update service of Cisco Webex Meetings Desktop App for Windows could allow an authenticated, local attacker to execute arbitrary…

PriorityP260high7.8CVSS 3.0
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
16.02%
96.5th percentile
A vulnerability in the update service of Cisco Webex Meetings Desktop App for Windows could allow an authenticated, local attacker to execute arbitrary commands as a privileged user. The vulnerability is due to insufficient validation of user-supplied parameters. An attacker could exploit this vulnerability by invoking the update service command with a crafted argument. An exploit could allow the attacker to run arbitrary commands with SYSTEM user privileges. While the CVSS Attack Vector metric denotes the requirement for an attacker to have local access, administrators should be aware that in Active Directory deployments, the vulnerability could be exploited remotely by leveraging the operating system remote management tools.

Affected

4 ranges
VendorProductVersion rangeFixed in
ciscocisco_webex_event_center
ciscowebex_meetings_desktop< 33.6.433.6.4
ciscowebex_meetings_desktop_app_update_service
ciscowebex_productivity_tools>= 32.6.0 < 33.0.633.0.6

Detection & IOCsextracted from sources · hover to see the quote

processwebexservice
commandsc start webexservice install software-update 1 <exe_path>
path%SystemRoot%\Temp
  • Monitor for 'sc start webexservice' commands with 'install software-update' arguments, which is the exploitation trigger for CVE-2018-15442.
  • Alert on the 'webexservice' Windows service spawning child processes (especially cmd.exe or arbitrary executables), as it runs as SYSTEM and should not normally execute user-supplied binaries.
  • Detect executable files written to %SystemRoot%\Temp or c:\Windows\Temp\ followed immediately by a 'sc start webexservice' invocation, indicating payload staging for this exploit.
  • In Active Directory environments, monitor for remote invocation of webexservice via OS remote management tools (e.g., WMI, PsExec), as the vulnerability can be exploited remotely in such deployments.
  • The SMB-based exploit module (WebExec) authenticates over SMB and uses any non-guest credential to execute commands via webexservice; monitor for SMB authentication followed by webexservice process creation from remote sessions.
  • ·The vulnerability can only be exploited if 'webexservice' is set to start automatically; if the service startup type is Manual or Disabled, exploitation is blocked unless the attacker has elevated permissions to change the service configuration.
  • ·UAC being enabled may produce false negatives when checking for writable folders during exploitation, potentially affecting payload delivery reliability.

CVSS provenance

nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vendor_cisco7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.