Cisco Patches Critical Flaw in Meeting Management Tool
Cisco has issued a warning about a critical privilege escalation vulnerability in its Meeting Management tool, identified as CVE-2025-20156. This flaw could allow a remote attacker to gain administrator privileges on exposed instances.
Disclosed on January 22, the vulnerability is awaiting analysis by the US National Vulnerability Database (NVD). Cisco has assigned it a CVSS severity score of 9.9, highlighting its critical nature, and released a security advisory the same day.
Vulnerability in Cisco Meeting Management REST API
The vulnerability in Cisco Meeting Management stems from incorrect default permissions and improper handling of insufficient privileges, according to the NVD. Cisco’s advisory attributes the issue to inadequate authorization in the REST API, used for web service interactions.
An attacker could exploit the flaw by sending API requests to a specific endpoint, potentially gaining administrator control over edge nodes managed by the tool. The vulnerability affects all versions up to 3.9, while version 3.10 and later are not impacted.
Cisco's PSIRT has confirmed no active exploitation campaigns targeting this vulnerability.
Cisco Released Fixed Version Update
Cisco has released a fix for the vulnerability in Cisco Meeting Management version 3.9.1.
The company stated there are no workarounds and urged customers to update to the fixed version. Customers without a Cisco service contract or those purchasing through third-party vendors can contact the Cisco Technical Assistance Center (TAC) for upgrades if unable to obtain the fixed software.
For Further Reference
Great to see proactive security measures being taken.