Trustwave achieves verified MXDR solution and FastTrack ready partner status from Microsoft. Learn More

Trustwave achieves verified MXDR solution and FastTrack ready partner status from Microsoft. Learn More

Managed Detection & Response

Eradicate cyberthreats with world-class intel and expertise

Managed Security Services

Expand your team’s capabilities and strengthen your security posture

Consulting & Professional Services

Tap into our global team of tenured cybersecurity specialists

Penetration Testing

Subscription- or project-based testing, delivered by global experts

Database Security

Get ahead of database risk, protect data and exceed compliance requirements

Email Security & Management

Catch email threats others miss with layered security & maximum control

Co-Managed SOC (SIEM)

Eliminate alert fatigue, focus your SecOps team, stop threats fast, and reduce cyber risk

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
The Trustwave Approach
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Platform
SpiderLabs Fusion Center
Security Operations Centers
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Cisco WebEx Memory for the Taking: CVE-2020-3347


Due to the global pandemic of COVID-19, there’s been an explosion of video conferencing and messaging software usage to help people transition their work-life to a work from home environment. Vulnerabilities in this type of software now present an even greater risk to its users. Cisco WebEx is one of the most popular video conferencing solutions available, so I decided to turn my research skills to see how secure the platform is. While I did find a relatively severe memory information leakage vulnerability, we worked with Cisco through our responsible disclosure program to get this vulnerability patched.

Cisco WebEx Memory Vulnerability: CVE-2020-3347

The following applies to Cisco Webex Meetings client on Windows, version


Once the application is installed, it adds a tray app that is started once a user logs on and has some dependent processes launched as well at that time. If a user has configured the client to log in automatically (default case), the following applies.

The client has several memory-mapped files (sections in Windows terms) open and some are not protected from opening for reading/writing by any other Windows user. Specifically, there is a section called:




Based on the file name, it appears to hold some trace information. Malicious users can open and dump the contents of this file if they can logon to the machine. Simply put, another user can loop over sessions and try to open, read, and save interesting content for future inspection.

I found that the file always contains the following sensitive information:

  • E-mail account used as a login
  • URL used to host meetings

When a user starts a meeting, the trace file will also contain a WebExAccessToken which allows anyone to impersonate the user and get access to the WebEx account.

A POC program provided in the advisory opens the memory mapped file for reading and dumps its contents to disk. Once the victim starts a meeting, the dump will contain something like this:



All the attacker needs to do now is to grab the Bearer token from the dump file and use it in the following HTTP POST request:

curl -d @get_token.xml -O

Contents of get_token.xml file:

<?xml version="1.0"?>
<serv:message xmlns:serv=""
<bodyContent xsi:type="java:com.webex.service.binding.user.GetLoginTicket"></bodyContent>

In response a one-time login ticket will arrive:


The next step is to open the following URL in a browser to get control of the victim’s account:


The token in red comes from the above SOAP request that uses WebAccessToken from the dump.




Using the leaked information, I was able to access my own account from another machine with a different IP address. It allowed me to see all meetings along with invited parties and meeting password (if set), download past meeting recordings, and so on. Here's the entire attack:



In an attack scenario, any malicious local user or malicious process running on a computer where WebEx Client for Windows is installed can monitor the memory mapped file for a login token. Once found the token, like any leaked credentials, can be transmitted somewhere so that it can be used to login to the WebEx account in question, download Recordings, view/edit Meetings, etc.

Users of Cisco WebEx for Windows are recommended to upgrade to version 40.6.0 or the most current version as soon as possible.


Trustwave Advisory: TWSL2020-003:
Cisco Advisory for CVE-2020-3347: