IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Weekly threat roundup: Cisco, BlueKeep, Apache Unomi

Pulling together the most dangerous and pressing flaws that businesses need to patch

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

‘Ghost’ vulnerability in Cisco Webex

The Cisco Webex as seen on a computer display with the webcam light activated

Cisco has patched a flaw in its Webex video conferencing platform that could allow an attendee to behave as a ‘ghost’ in a live meeting, allowing them to spy on participants without them knowing.

The medium-risk flaw, assigned CVE-2020-3419, would have allowed a remote attacker to join a session without appearing on the participant list. This has been blamed on the improper handling of authentication tokens by a vulnerable Webex site. Successful exploitation required the attacker to have access to join a meeting, including join links and passwords, but once in they would then gain full access to audio, video, chat, and screen sharing capabilities.

RCE flaws left out of Cisco Security Manager patch notes

The Cisco logo as fixed onto a device


Eyebrows were raised when security researcher Florian Hauser claimed that the latest patch notes released by Cisco this week left out the details of 12 severe security flaws in the company’s Security Manager (CSM) tool. These 12 bugs were reported to the networking giant in July, and almost all involved remote code execution.

The developer initially failed to mention these in a recent set of patch notes, according to Hauser, nor did the company release security advisories when CSM was updated to version 4.22 earlier this month. As a result, the researcher published the proof-of-concept for all 12 flaws.

The firm subsequently released three advisories for vulnerabilities tagged CVE-2020-27130, CVE-2020-27131 and CVE-2020-27125, crediting Hauser with their discovery.

Warning issued over historic flaws - including BlueKeep

The Windows key being pushed on a blue laptop


Millions of corporate devices are still vulnerable to historic vulnerabilities, according to analysis by security researcher Jan Kopriva, including roughly 240,000 machines susceptible to the BlueKeep exploit.

Although the infamous vulnerability was discovered more than a year and a half ago, an alarming number of devices are still vulnerable. This is particularly concerning given the widely-publicised ‘wormable’ nature of the flaw and the way it can spread between terminals in a corporate network without any user intervention.

By scanning the Shodan search engine, Kopriva was able to ascertain a rough indication of the number of devices vulnerable to specific flaws, all discovered before 2020. For example, an Apache HTTP server root privilege escalation flaw tagged CVE-2019-0211 still affects 3,357,835 machines. The HeartBleed OpenSSL flaw, meanwhile, still affects 204,878 devices despite a patch being released more than six years ago.

Cookie and file theft in Firefox for Android

The installation Firefox page for the app on an Android device


Mozilla has rolled out a fix for a vulnerability in the mobile version of its Firefox web browser after reports showed attackers were able to exploit it to steal files from the device, including cookies for previously visited websites.

Tagged CVE-2020-15647, the vulnerability lies in how Firefox browsers use Uniform Resource Identifier (URI), a string that corresponds with locally saved files -  and allows Android devices to identify data in a content provider. Researcher Pedro Oliveira demonstrated it was possible to steal files from the device solely by having the victim visit a webpage, including a database containing all cookies from visited domains.

Firefox acknowledged the report swiftly when it was first flagged in June earlier this year, and issued a fix in July 2020. This is the second prominent Firefox for Android flaw disclosed in recent weeks, following another bug that could allow attackers to hijack sessions over Wi-Fi.

Apache Unomi RCE flaw discovered

The Apache Foundation website as seen on a smartphone


The Java open source customer data platform, Apache Unomi, contained a now patched flaw that allowed attackers to send malicious requests with MVEL and OGNL expressions (which sit within the Unomi package). This could eventually lead to remote code execution.

The flaw, tagged CVE-2020-13942 and rated a maximum of 10.0 on the CVSS severity scale, was discovered by the Checkmarx Security Research Team and has since been publicised because the Unomi platform is a highly desired target for attackers. This is because the system can be integrated with various other platforms, including CMS, CRM, native mobile apps, and more, and contains an abundance of data.

The vulnerability has been fixed, and users have been urged to upgrade to Apache Unomi version 1.5.2 or later as soon as possible.

Critical remote attacking flaw found in industrial machinery

A factory worker using a tablet in an industrial setting

The 499ES EtherNet/IP (ENIP) stack built by Real-Time Automation (RTA) is currently vulnerable to a critical flaw that could allow a remote attacker to compromise industrial connected machinery. This is the stack that powers the control system devices in industrial and manufacturing environments.

Tracked as CVE-2020-25159 and rated 9.8 out of 10 in severity on the CVSS scale, the stack buffer overflow vulnerability is said to affect ENIP versions of 2.28 and lower. Exploitation can allow an attacker to send a specially crafted packet the could result in a denial-of-service condition or even arbitrary code execution.

The flaw was discovered by Claroty’s Sharon Birzinov and reported to the US government’s Cybersecurity and Infrastructure Security Agency (CISA). The agency recommends that users minimise network exposure for all control system devices to ensure they’re not accessible from the internet, as well as locate control system networks and remote devices behind the firewall and isolate them from the corporate network.

There are, at the time of publishing, no known public exploits specifically targeting this vulnerability.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download


What is hacktivism?

What is hacktivism?

27 May 2022
Mastering endpoint security implementation

Mastering endpoint security implementation

18 May 2022
The Total Economic Impact™ of Apple Mac in Enterprise: M1 update

The Total Economic Impact™ of Apple Mac in Enterprise: M1 update

12 May 2022
Dell Technologies World 2022: Dell unveils fastest storage architecture in company history
Server & storage

Dell Technologies World 2022: Dell unveils fastest storage architecture in company history

4 May 2022

Most Popular

16 ways to speed up your laptop

16 ways to speed up your laptop

13 May 2022
Europe's first autonomous petrol station opens in Lisbon

Europe's first autonomous petrol station opens in Lisbon

23 May 2022
Linux-based Cheerscrypt ransomware found targeting VMware ESXi servers

Linux-based Cheerscrypt ransomware found targeting VMware ESXi servers

26 May 2022