NEWS BRIEF

Cisco has released a patch for a critical vulnerability found in its Cisco Meeting Management feature that could allow a remote, authenticated attacker to elevate themselves to administrator privileges on an affected device.

Cisco Meeting Management is a management tool for Cisco's on-premises meeting platform, Cisco Meeting Server. The management system allows users to monitor and manage meetings that are running on the platform through two user roles: the first is for administrators with full rein over the platform; and the second is for "video operators," who only have access to the meetings and overview pages.

The vulnerability, tracked as CVE-2025-20156 (CVSS score of 9.9), is located in the REST API and exists because "proper authorization" is not enforced on REST API users. Should an attacker send specially crafted API requests to a specific endpoint, they could exploit the vulnerability and allow an attacker to gain administrator-level control over edge nodes managed by Cisco Meeting Management.

This poses a risk to businesses, as a threat actor with video operator access on the platform could exploit this vulnerability to give themselves administrator privileges, allowing them the ability to change configurations, add users, and more, according to the advisory.

The management system is vulnerable to the bug regardless of device configuration, according to the advisory. So, anyone using Cisco Meeting Management 3.9 or earlier would need to migrate to a supported version in order to fix the bug. Those with version 3.9 should upgrade to version 3.9.1; and those with version 3.10 remain unaffected. There are no workarounds to address the vulnerability.