Cisco WebEx Meetings Server User Enumeration Vulnerability

A vulnerability in Cisco WebEx Meetings Server could allow an unauthenticated, remote attacker to guess valid user accounts on the targeted system.

The vulnerability exists because the affected software fails to refresh the CAPTCHA on the login page. An attacker could exploit this vulnerability by conducting unlimited user account guessing attempts against an affected server. A successful exploit may allow an attacker to discover valid user accounts on the server.

Cisco has confirmed the vulnerability and released updated software.

To exploit the vulnerability, the attacker may need to have access to trusted or internal networks to conduct brute-force attacks against the targeted system. This access requirement could limit the likelihood of a successful exploit.

Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.