CVE-2025-20156

CRITICAL

Cisco Meeting Management - Privilege Escalation

Title source: llm

Description

A vulnerability in the REST API of Cisco Meeting Management could allow a remote, authenticated attacker with low privileges to elevate privileges to administrator on an affected device. This vulnerability exists because proper authorization is not enforced upon REST API users. An attacker could exploit this vulnerability by sending API requests to a specific endpoint. A successful exploit could allow the attacker to gain administrator-level control over edge nodes that are managed by Cisco Meeting Management.

References (3)

Core 3

Core References

Not Applicable

https://blog.clamav.net/2025/01/clamav-142-and-108-security-patch.html

Not Applicable

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-clamav-ole2-H549rphA

Vendor Advisory

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cmm-privesc-uy2Vf8pc

Scores

CVSS v3 9.9

EPSS 0.0148

EPSS Percentile 81.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-274

Status published

Products (1)

cisco/meeting_management < 3.9.1

Published Jan 22, 2025

Tracked Since Feb 18, 2026