Cisco disclosed a safety vulnerability (CVE-2025-20255) affecting its Webex Conferences service that might permit distant attackers to govern cached HTTP responses.
The vulnerability, assigned a CVSS rating of 4.3 (Medium severity), stems from improper dealing with of malicious HTTP requests within the shopper be a part of companies element.
Safety researcher Matthew B. Johnson (d3d) is credited with discovering and reporting this HTTP cache poisoning vulnerability to Cisco.
The vulnerability permits unauthenticated attackers to use cache conduct to serve malicious content material to Webex customers. Cisco has already addressed the difficulty in its cloud-based platform, requiring no motion from clients utilizing the service.
Understanding HTTP Cache Poisoning Assaults
HTTP cache poisoning is a complicated assault method the place malicious actors exploit how net servers and caches course of requests to ship dangerous content material to a number of customers.
The assault includes two crucial phases: first, the attacker should set off a response from the back-end server containing a harmful payload; second, they have to guarantee this compromised response is cached and subsequently served to meant victims.
The vulnerability in Webex Conferences particularly includes manipulating unkeyed inputs in HTTP requests. Internet caches establish assets utilizing particular request elements (generally known as the cache key) whereas ignoring unkeyed inputs.
When these unkeyed inputs have an effect on the generated response however aren’t a part of the cache decision-making course of, attackers can inject payloads that alter responses for all customers accessing the identical cached useful resource.
A profitable cache poisoning assault towards Webex may doubtlessly influence quite a few customers with out requiring extra interplay from the attacker.
As safety specialists defined, “The poisoned response will solely be served to customers who go to the affected web page whereas the cache is poisoned.”
Technical Exploitation
The Webex vulnerability (CWE-349) permits attackers to govern HTTP responses by exploiting how the service handles malicious HTTP requests.
Not like conventional cross-site scripting assaults that focus on particular person customers, cache poisoning assaults leverage shared caching infrastructure to amplify influence.
The assault vector requires no authentication (AV:N) and has low assault complexity (AC: L), although it does require person interplay (UI:R) to finish the exploit chain.
The advisory signifies that whereas the vulnerability permits for integrity impacts (I:L), no confidentiality (C:N) or availability (A:N) issues had been reported.
Attackers may doubtlessly drive the Webex Conferences service to return incorrect HTTP responses to shoppers becoming a member of conferences.
This might result in varied safety points, together with session disruption or doubtlessly extra extreme penalties if chained with different vulnerabilities.
Threat FactorsDetailsAffected ProductsCisco Webex Conferences (cloud-based service; no on-premises techniques impacted)ImpactIntegrity compromise by way of HTTP cache poisoning, enabling manipulated responses to clientsExploit PrerequisitesNo privileges requiredCVSS 3.1 Score4.3 (Medium)
Mitigation
Cisco has already addressed the vulnerability in its cloud-based Webex Conferences service, with no buyer motion required for remediation.
Based on the safety advisory, “No person motion is required” and “There aren’t any workarounds that tackle this vulnerability”.
The Cisco Product Safety Incident Response Group (PSIRT) reported no proof of public exploitation of this vulnerability on the time of disclosure.
Organizations utilizing Cisco Webex Conferences ought to guarantee they’re utilizing the most recent model of the service, which already consists of the repair.
Safety specialists advocate a number of preventive measures for organizations involved about net cache poisoning vulnerabilities: validate and sanitize all person inputs, particularly HTTP headers; guarantee correct cache configuration; and think about implementing response headers like Fluctuate to manage caching conduct.
Equip your SOC group with deep risk evaluation for quicker response -> Get Further Sandbox Licenses for Free
