Cisco addresses a critical privilege escalation bug in Meeting Management
January 23, 2025
Cisco addressed a critical flaw in its Meeting Management that could allow it to gain administrator privileges on vulnerable instances.
Cisco released security updates to fix a critical flaw, tracked as CVE-2025-20156 (CVSS score of 9.9) affecting its Meeting Management. A remote, authenticated attacker can exploit the vulnerability to gain administrator privileges on affected instances.
The vulnerability resides in the REST API of Cisco Meeting Management, the issue arises from a lack of proper authorization in the REST API. An attacker can exploit the flaw via specific endpoint requests.
“This vulnerability exists because proper authorization is not enforced upon REST API users. An attacker could exploit this vulnerability by sending API requests to a specific endpoint.” reads the advisory published b the IT giant. “A successful exploit could allow the attacker to gain administrator-level control over edge nodes that are managed by Cisco Meeting Management.”
The security researcher Ben Leonard-Lagarde of Modux reported this vulnerability.
The company states that there are no workarounds to address this vulnerability.
Below are the affected releases, the company urges customers to upgrade to an appropriate fixed software release as reported in the following table.
| Cisco Meeting Management Release | First Fixed Release |
|---|---|
| 3.8 and earlier | Migrate to a fixed release. |
| 3.9 | 3.9.1 |
| 3.10 | Not vulnerable. |
The good news is that Cisco PSIRT is not aware attacks in the wild exploiting this vulnerability.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Cisco Meeting Server)