- Windscribe VPN review: A flexible and free VPN
- One of my favorite foldables brings the flip phone back in the best way (and it's $200 off)
- I opened up a cheap 600W charger to test its build, and found 'goo' inside
- How to negotiate like a pro: 4 secrets to success
- One of the cheapest Android tablets I've ever tested replaced my iPad with no sweat
Cisco Fixes Critical Vulnerability in Meeting Management
Cisco has warned about a new privilege escalation vulnerability in its Meeting Management tool that could allow a remote attacker to gain administrator privileges on exposed instances.
The vulnerability, CVE-2025-20156, was disclosed by Cisco on January 22 and is awaiting further analysis by the US National Vulnerability Database (NVD).
Cisco also issued a security advisory the same day, allocating the flaw a severity score (CVSS) of 9.9, meaning it is a critical vulnerability.
Vulnerability in Cisco Meeting Management REST API
The vulnerability involves a combination of incorrect default permissions and improper handling of insufficient privileges in Cisco Meeting Management, said the NVD.
According to Cisco’s advisory, the vulnerability is due to a lack of proper authorization on the representational state transfer (REST) application programmable interface (API) of Cisco Meeting Management, a set of rules and guidelines for building and interacting with web services.
An attacker could exploit this vulnerability by sending API requests to a specific endpoint, which could allow the attacker to gain administrator-level control over edge nodes that are managed by Cisco Meeting Management.
The vulnerability affects all Cisco Meeting Management instances up to version 3.9. More recent instances (e.g. Cisco Meeting Management version 3.10) are not vulnerable.
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any current campaigns exploiting the vulnerability.
Cisco Released Fixed Version Update
Cisco has released a fixed software version, Cisco Meeting Management version 3.9.1.
The software manufacturer said no workarounds address this vulnerability and urged customers to update to this version.
“Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC),” the provider added.
Cisco credited Modux’s Ben Leonard-Lagarde for initially reporting the vulnerability.
