cbcvebase.
CVE-2026-20098
published 2026-02-04

CVE-2026-20098: A vulnerability in the Certificate Management feature of Cisco Meeting Management could allow an authenticated, remote attacker to upload arbitrary files…

PriorityP266high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.38%
30.2th percentile
A vulnerability in the Certificate Management feature of Cisco Meeting Management could allow an authenticated, remote attacker to upload arbitrary files, execute arbitrary commands, and elevate privileges to root on an affected system. This vulnerability is due to improper input validation in certain sections of the web-based management interface. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected system. A successful exploit could allow the attacker to upload arbitrary files to the affected system. The malicious files could overwrite system files that are processed by the root system account and allow arbitrary command execution with root privileges. To exploit this vulnerability, the attacker must have valid credentials for a user account with at least the role of video operator.

Affected

17 ranges
VendorProductVersion rangeFixed in
ciscocisco_meeting_management
ciscocisco_meeting_management
ciscocisco_meeting_management
ciscocisco_meeting_management
ciscocisco_meeting_management
ciscocisco_meeting_management
ciscocisco_meeting_management
ciscocisco_meeting_management
ciscocisco_meeting_management
ciscocisco_meeting_management
ciscocisco_meeting_management
ciscocisco_meeting_management
ciscocisco_meeting_management
ciscocisco_meeting_management
ciscocisco_meeting_management
ciscomeeting_management< 3.12.13.12.1
ciscomeeting_management

Detection & IOCsextracted from sources · hover to see the quote

  • Exploit vector is a crafted HTTP request to the Certificate Management section of the web-based management interface; monitor for unexpected file upload requests (e.g., multipart/form-data POST) to Certificate Management endpoints by accounts holding the 'video operator' role or higher.
  • Alert on file writes to system-owned paths originating from the Cisco Meeting Management web process, particularly files that would be processed by the root account, as successful exploitation overwrites system files to achieve root command execution.
  • Scope monitoring to authenticated sessions: the attacker must hold at least the 'video operator' role. Audit and alert on privilege escalation to root from web-tier processes following file upload activity by video operator accounts.
  • The vulnerability is rooted in the Certificate Management feature; focus file-upload anomaly detection specifically on that feature's endpoints within the Cisco Meeting Management web UI.
  • ·Exploitation requires valid credentials with at least the 'video operator' role — this is an authenticated vulnerability, not exploitable pre-auth. Ensure access controls and account hygiene for operator-level roles are enforced as a compensating control.
  • ·There are no workarounds available; patching to a fixed software version is the only remediation. Cisco Bug ID CSCwr97339 tracks this issue.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_cisco8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.