Cisco has announced essential software updates in response to a severe security vulnerability affecting its Meeting Management platform. This flaw potentially enables a remote, authenticated attacker to escalate privileges to an administrator level on vulnerable systems.
The vulnerability, designated as CVE-2025-20156, has garnered a CVSS score of 9.9 out of 10, indicating its high-risk nature. Cisco describes it as a privilege escalation issue within the REST API of Cisco Meeting Management.
According to Cisco’s advisory, the vulnerability arises from a lack of proper authorization enforcement for REST API users. Attackers could exploit this weakness by dispatching API requests to designated endpoints. If successful, they would gain elevated control over edge nodes managed by the platform, significantly compromising application security.
Ben Leonard-Lagarde of Modux is credited with reporting the vulnerability, which affects multiple versions of the Meeting Management software. Specifically, version 3.9 has been patched in the update to 3.9.1, while earlier versions, including 3.8, require migration to a secured release. Notably, version 3.10 is confirmed as not being vulnerable.
In addition to this privilege escalation vulnerability, Cisco has introduced patches for a separate denial-of-service (DoS) flaw in its BroadWorks system, linked to improper memory handling during certain Session Initiation Protocol (SIP) requests (CVE-2025-20165, CVSS score: 7.5). The resolution has been implemented in version RI.2024.11.
This second vulnerability allows attackers to flood the system with SIP requests, potentially exhausting allocated memory and leading to a DoS condition requiring manual recovery. Cisco described how exploiting this flaw could obstruct SIP traffic management, rendering the system inoperative.
Furthermore, Cisco has addressed a third vulnerability, CVE-2025-20128 (CVSS score: 5.3), relating to an integer underflow issue within the OLE2 decryption routine of ClamAV, which may also precipitate DoS scenarios. Cisco acknowledged Google OSS-Fuzz for identifying this shortcoming, while noting that there is awareness of proof-of-concept (PoC) exploit code, though no evidence of active exploitation has surfaced.
The potential tactics and techniques employed in these vulnerabilities could be aligned with the MITRE ATT&CK framework, notably under categories such as privilege escalation and initial access. As threats evolve, organizations must remain vigilant, employing best practices to safeguard their networks against such sophisticated exploits.
