CVE-2025-20156Improper Handling of Insufficient Privileges in Cisco Meeting Management

CWE-274Improper Handling of Insufficient PrivilegesCWE-276Incorrect Default Permissions4 documents4 sources
Severity
9.9CRITICALNVD
EPSS
3.4%
top 12.60%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Cisco Meeting ManagementCisco Meeting Management
Timeline
PublishedJan 22

Description

A vulnerability in the REST API of Cisco Meeting Management could allow a remote, authenticated attacker with low privileges to elevate privileges to administrator on an affected device. This vulnerability exists because proper authorization is not enforced upon REST API users. An attacker could exploit this vulnerability by sending API requests to a specific endpoint. A successful exploit could allow the attacker to gain administrator-level control over edge nodes that are managed by Cisco Mee

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 3.1 | Impact: 6.0

Affected Packages2 packages

CVEListV5cisco/cisco_meeting_management11 versions+10

🔴Vulnerability Details

2
CVEList
Cisco Meeting Management Client-Server Privilege Escalation Vulnerability2025-01-22
GHSA
GHSA-8m34-ghfg-xxc2: A vulnerability in the REST API of Cisco Meeting Management could allow a remote, authenticated attacker with low privileges to elevate privileges to2025-01-22

📋Vendor Advisories

1
Cisco
Cisco Meeting Management REST API Privilege Escalation Vulnerability2025-01-22
CVE-2025-20156 — Cisco Meeting Management vulnerability | cvebase