Cisco patches critical flaw in Meeting Management software
Take action: If you are running Cisco Meeting Management software, plan a patch for this one. It's not a panic mode fix since attackers need to be authenticated. This gives you a bit of breathing room. But don't ignore the patch, credentials will be compromised.
Learn More
Cisco is reporting a critical security vulnerability in their Meeting Management software that affects their REST API implementation.
The vulnerability is tracked as CVE-2025-20156 (CVSS score 9.9) and allows a remote authenticated attacker with low privileges to escalate their privileges to administrator level on affected devices. The security flaw exists due to improper authorization enforcement in the REST API implementation. Successful exploitation could grant an attacker administrator-level control over edge nodes managed by Cisco Meeting Management.
The vulnerability impacts Cisco Meeting Management versions 3.8 and earlier, as well as version 3.9 up to but not including 3.9.1. Version 3.10 is confirmed not to be vulnerable.
The flaw affects all configurations of Cisco Meeting Management and no workarounds are available
Cisco has released software updates to address this vulnerability. Users should upgrade to the following fixed versions:
- For version 3.8 and earlier: Migrate to a fixed release
- For version 3.9: Upgrade to version 3.9.1
- Version 3.10: Not affected
The Cisco Product Security Incident Response Team (PSIRT) has stated they are not aware of any public announcements or malicious exploitation of this vulnerability in the wild.
For customers with service contracts, updates should be obtained through their usual update channels. Those without service contracts can contact Cisco Technical Assistance Center (TAC) for update access.
