CVE-2025-20236: 
Cisco Webex Teams vulnerability analysis and mitigation

A high-severity vulnerability (CVE-2025-20236) was discovered in the custom URL parser of Cisco Webex App. The vulnerability allows an unauthenticated, remote attacker to execute arbitrary commands on a targeted user's system through malicious meeting invite links. The flaw was disclosed on April 16, 2025, and received a CVSS score of 8.8 (HIGH) (Cisco Advisory, Bleeping Computer).

The vulnerability stems from insufficient input validation in the Webex App's custom URL handling mechanism when processing meeting invite links. The flaw affects Cisco Webex App installations across all operating systems and configurations. Specifically, version 44.6 (prior to 44.6.2.30589) and version 44.7 are vulnerable, while versions 44.5 and earlier, and 44.8 and later are not affected. The vulnerability has been assigned CWE-829 (Inclusion of Functionality from Untrusted Control Sphere) (Cisco Advisory).

A successful exploitation of this vulnerability allows attackers to execute arbitrary commands with the privileges of the targeted user on their system. This could potentially lead to complete compromise of the affected user's system (Cisco Advisory, Security Online).

Cisco has released security updates to address this vulnerability. There are no workarounds available, so users must update to the fixed versions: version 44.6.2.30589 for those running 44.6, while users on version 44.7 must migrate to a fixed release. Users running versions 44.5 and earlier or 44.8 and later are not affected and require no action (Cisco Advisory).