CVE-2018-12592

Vulnerability

Polycom RealPresence Web Suite versions prior to 2.2.0 do not honor a user's explicit choice to disable their video camera during the first few seconds of joining a meeting [1]. When a user selects the option to turn off their video before or upon entering a meeting, the application still streams video for a brief period, potentially revealing the user's surroundings without their knowledge [1].

Exploitation

An attacker only needs to be a participant in the same meeting and have their video viewing enabled [1]. No special network position or authentication beyond normal meeting access is required. The exploit occurs automatically: when a victim joins a meeting with video disabled via the specific option, the meeting system fails to suppress the video stream for several seconds, during which other attendees can observe the victim's camera feed [1].

Impact

Successful exploitation results in an unintentional disclosure of the victim's video image and surroundings to other meeting participants [1]. This violates the user's privacy expectations and consent settings, potentially exposing sensitive visual information. The impact is limited to information disclosure; no code execution or data modification occurs.

Mitigation

Polycom released RealPresence Web Suite version 2.2.0 which addresses this issue by ensuring that the video feed is properly blocked from the moment the user opts to disable it [1]. Users should upgrade to version 2.2.0 or later. No workaround is documented in the available references.