cbcvebase.
CVE-2025-20156
published 2025-01-22

CVE-2025-20156: A vulnerability in the REST API of Cisco Meeting Management could allow a remote, authenticated attacker with low privileges to elevate privileges to…

PriorityP268critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
1.16%
63.1th percentile
A vulnerability in the REST API of Cisco Meeting Management could allow a remote, authenticated attacker with low privileges to elevate privileges to administrator on an affected device. This vulnerability exists because proper authorization is not enforced upon REST API users. An attacker could exploit this vulnerability by sending API requests to a specific endpoint. A successful exploit could allow the attacker to gain administrator-level control over edge nodes that are managed by Cisco Meeting Management.

Affected

13 ranges
VendorProductVersion rangeFixed in
ciscocisco_meeting_management
ciscocisco_meeting_management
ciscocisco_meeting_management
ciscocisco_meeting_management
ciscocisco_meeting_management
ciscocisco_meeting_management
ciscocisco_meeting_management
ciscocisco_meeting_management
ciscocisco_meeting_management
ciscocisco_meeting_management
ciscocisco_meeting_management
ciscomeeting_management< 3.9.13.9.1
ciscomeeting_management_rest

Detection & IOCsextracted from sources · hover to see the quote

  • Exploit involves sending API requests to a specific REST API endpoint on Cisco Meeting Management; monitor for low-privileged authenticated users making unusual REST API calls that result in privilege escalation to administrator.
  • The vulnerability is rooted in missing authorization enforcement on REST API users; alert on privilege changes to administrator role originating from low-privilege REST API sessions in Cisco Meeting Management audit logs.
  • Track Cisco internal bug ID CSCwi88558 for vendor patch and signature updates related to this privilege escalation vulnerability.
  • ·No workarounds are available; patching is the only remediation. Ensure Cisco Meeting Management is updated to a fixed software version.
  • ·Successful exploitation grants administrator-level control over edge nodes managed by Cisco Meeting Management, not just the management plane itself — scope of impact extends to managed infrastructure.
  • ·Exploitation requires the attacker to be remote and authenticated with at least low privileges — unauthenticated exploitation is not possible, but any low-privilege account is sufficient.

CVSS provenance

nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vendor_cisco9.9CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.