Analysis Summary

A newly disclosed vulnerability in Cisco Webex for BroadWorks Release 45.2 exposes sensitive credentials and user data when Session Initiation Protocol (SIP) communications lack encryption. The flaw stems from improper handling of SIP headers in Windows-based environments, allowing attackers on the same network segment to conduct man-in-the-middle (MitM) attacks. Without Transport Layer Security (TLS) or Secure Real-Time Transport Protocol (SRTP), authentication credentials such as usernames, passwords, and session tokens are transmitted in plaintext, making them susceptible to interception. Additionally, authenticated users with log access can extract plaintext credentials, increasing the risk of lateral movement or impersonation attacks. Notably, Linux and macOS versions remain unaffected.

The vulnerability is particularly concerning because SIP, a core component of VoIP systems, transmits signaling data in cleartext unless encryption is enforced. Attackers leveraging this flaw can reconstruct authentication headers to steal credentials, impersonate legitimate users, and hijack active calls or meetings. The flaw's low attack complexity (CVSSv4.0: 0.6) and lack of required privileges make it an accessible target for opportunistic threats. However, Cisco’s Product Security Incident Response Team (PSIRT) has not yet observed any real-world exploitation or public disclosures of this issue. Given the reliance on hybrid cloud and on-premises telephony deployments, organizations must address these risks promptly to prevent unauthorized access and service disruptions.

Cisco has responded by automatically pushing configuration updates to enforce TLS/SRTP for SIP, though administrators must restart Webex applications to activate these changes. Additional mitigation strategies include enforcing encrypted SIP transport, rotating credentials, and restricting log access to prevent credential harvesting. Organizations using session border controllers (SBCs) or Cisco Unified Border Element (CUBE) must also ensure end-to-end SIP encryption. Network segmentation and intrusion detection systems (IDS) can further isolate vulnerable systems while patches are applied. As unified communications evolve, securing legacy systems with modern encryption protocols remains crucial to mitigating opportunistic attacks.

Impact

• Sensitive Data Theft

Remediation

• Implement Transport Layer Security (TLS) 1.2+ and Secure Real-Time Transport Protocol (SRTP) to prevent unauthorized interception of credentials.
• Cisco has pushed configuration updates, but administrators must restart Webex applications to activate the security changes.
• Change authentication credentials for all BroadWorks-integrated accounts to mitigate potential credential exposure risks.
• Audit and enforce strict permissions on log files to prevent authenticated users from extracting plaintext credentials.
• Organizations using Cisco Unified Border Element (CUBE) or third-party session border controllers (SBCs) must ensure SIP headers are encrypted across the entire communication path.
• Isolate vulnerable systems to minimize the attack surface and prevent lateral movement in case of credential exposure.
• Utilize IDS to monitor for suspicious activity, such as unauthorized SIP traffic interceptions or credential harvesting attempts.
• Regularly review and audit SIP configurations, access controls, and encryption settings to ensure compliance with security best practices.