NIST, the National Institute of Standards and Technology, is warning of a Cisco Webex vulnerability that could lead to remote code execution.

Webex is a popular videoconferencing application, especially in the enterprise space. According to NIST’s NVD entry for this particular issue, Webex has a vulnerability related to how it processes a meeting invite link. Webex does not perform enough input validation on meeting links, meaning a bad actor could use one to convince a target to download malicous files.

A vulnerability in the custom URL parser of Cisco Webex App could allow an unauthenticated, remote attacker to persuade a user to download arbitrary files, which could allow the attacker to execute arbitrary commands on the host of the targeted user. This vulnerability is due to insufficient input validation when Cisco Webex App processes a meeting invite link. An attacker could exploit this vulnerability by persuading a user to click a crafted meeting invite link and download arbitrary files. A successful exploit could allow the attacker to execute arbitrary commands with the privileges of the targeted user.

Cisco says it has released a free software update to address the issue.

Cisco has released free software updates that address the vulnerability described in this advisory. Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels.

In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

According to the company, version 44.5 and earlier are not vulnerable, nor is version 44.8 and later. Version 44.6 is vulnerable and fixed with version 44.6.2.30589. Version 44.7 is also vulnerable, although the company does not list which specific patch fixes it, only say to “migrate to a fixed release.”