Cisco, the largest provider of networking equipment in the world, released a security update on Wednesday to address a critical privilege escalation vulnerability in the REST API of Cisco Meeting Management.
The critical vulnerability tracked as CVE-2025-20156 has been rated 9.9 out of 10 on the Common Vulnerability Scoring System (CVSS). This privilege escalation flaw, if exploited, could allow a remote, authenticated attacker with low privileges to elevate privileges to administrator on an affected device, posing a severe risk to organizations.
“This vulnerability exists because proper authorization is not enforced upon REST API users. An attacker could exploit this vulnerability by sending API requests to a specific endpoint,” the company said in an advisory on Wednesday.
Cisco also thanked Ben Leonard-Lagarde of Modux for reporting this vulnerability.
The following versions of Cisco Meeting Management are affected by the vulnerability irrespective of device configuration, for which Cisco has released software updates.
- Cisco Meeting Management 3.8 and earlier: Users are recommended to migrate to a fixed release, such as 3.9.1.
- Cisco Meeting Management 3.9: Patched in 3.9.1
- Cisco Meeting Management 3.10: This version is not impacted and does not require any updates.
As of the advisory’s release, the Cisco Product Security Incident Response Team (PSIRT) said it is not aware of any public announcements or malicious use of the vulnerability, as they are yet to find any evidence that the flaw is being actively exploited.
Unfortunately, there are no workarounds to mitigate this vulnerability. The only way to address this issue is to apply the necessary software updates.
Cisco has urged users to apply the available patches immediately to mitigate the risk. Customers with service contracts that permit them to regular software updates should obtain security fixes through their usual update channels.
For those who do not have service contracts, they can contact the Technical Assistance Center (TAC) for help in obtaining the necessary upgrades.
Further, the company has confirmed that only the products listed in the Vulnerable Products section of the advisory are affected. Cisco also advises users to check hardware and software compatibility before upgrading to maintain safety and stability of their systems.
