Cisco Webex Meetings Desktop App and Cisco Webex Productivity Tools Update Service Command Injection Vulnerability
Description
A vulnerability in the update service of Cisco Webex Meetings Desktop App and Cisco Webex Productivity Tools for Windows could allow an authenticated, local attacker to execute arbitrary commands as a privileged user. The vulnerability is due to insufficient validation of user-supplied parameters. An attacker could exploit this vulnerability by invoking the update service command with a crafted argument. An exploit could allow the attacker to run arbitrary commands with SYSTEM user privileges. While the CVSS Attack Vector metric denotes the requirement for an attacker to have local access, administrators should be aware that in Active Directory deployments, the vulnerability could be exploited remotely by leveraging the operating system remote management tools. This vulnerability is fixed in Cisco Webex Meetings Desktop App Release 33.6.6 and 33.9.1 releases. This vulnerability is fixed in Cisco Webex Productivity Tools Release 33.0.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cisco Webex Meetings Desktop App and Productivity Tools for Windows allow local authenticated users to execute arbitrary commands as SYSTEM via crafted update-service arguments.
Vulnerability
Cisco Webex Meetings Desktop App versions prior to 33.6.6 and 33.9.1, and Cisco Webex Productivity Tools versions prior to 33.0.7 for Windows, contain an OS command injection vulnerability (CWE-78) in the update service. The service fails to properly validate user-supplied parameters, enabling an attacker to inject arbitrary commands [1][2].
Exploitation
An authenticated attacker with local access to the system can exploit this vulnerability by invoking the update service command with a crafted argument. The attacker does not require elevated privileges prior to exploitation. In Active Directory environments, administrators should be aware that remote exploitation may be possible using operating system remote management tools to issue the command locally [2].
Impact
Successful exploitation allows the attacker to execute arbitrary commands with SYSTEM user privileges, resulting in complete compromise of the affected endpoint (privilege escalation) [1][2].
Mitigation
Cisco has released fixed versions: Cisco Webex Meetings Desktop App 33.6.6 or later (33.9.x branch also fixed) and Cisco Webex Productivity Tools 33.0.7 or later. Users should update immediately via the Cisco Software Center or the application's built-in update mechanism. No workarounds are available [2].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- Range: <33.6.6
<33.0.7+ 1 more
- (no CPE)range: <33.0.7
- (no CPE)range: unspecified
- Cisco/Cisco Webex Meetings Desktop Appv5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Insufficient validation of user-supplied parameters in the update service allows OS command injection."
Attack vector
An authenticated, local attacker exploits insufficient validation of user-supplied parameters in the update service [CWE-78]. The attacker copies crafted files to a local folder and invokes the update service command with a malicious argument. Because the service runs with SYSTEM privileges, the crafted argument causes arbitrary command execution at that elevated level. In Active Directory deployments, the attack can also be triggered remotely via operating system remote management tools [ref_id=1].
Affected code
The vulnerability resides in the update service of Cisco Webex Meetings Desktop App for Windows. The service does not properly validate version numbers of new files, allowing an unprivileged local attacker to invoke the update service command with a crafted argument and folder [ref_id=1].
What the fix does
Cisco addressed the vulnerability by improving validation of user-supplied parameters in the update service. The fix is included in Cisco Webex Meetings Desktop App releases 33.6.6 and 33.9.1, and in Cisco Webex Productivity Tools release 33.0.7 [ref_id=1]. No patch diff is available in the bundle, but the advisory confirms that the update service now properly validates version numbers and arguments before acting on them.
Preconditions
- networkAttacker must have local access to the Windows system (or remote access via Active Directory remote management tools)
- inputAttacker must be able to copy files to a local folder and invoke the update service command
- authAttacker must be authenticated on the system
Reproduction
The public PoC at https://www.exploit-db.com/exploits/46479/ describes copying crafted files to a local attacker-controlled folder and invoking the update service command with a crafted argument. The advisory states: "The vulnerability can be exploited by copying to a local attacker" (text truncated in source) [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- www.exploit-db.com/exploits/46479/mitreexploitx_refsource_EXPLOIT-DB
- tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190227-wmda-cmdinjmitrevendor-advisoryx_refsource_CISCO
- www.securityfocus.com/bid/107184mitrevdb-entryx_refsource_BID
News mentions
0No linked articles in our index yet.