Cisco: Critical Meeting Management Bug Requires Urgent Patch

Cisco has released a patch for a critical vulnerability found in its Cisco Meeting Management feature that could allow a remote, authenticated attacker to elevate themselves to administrator privileges on an affected device.

The vulnerability, tracked as CVE-2025-20156 (CVSS score of 9.9), is located in the REST API and exists because "proper authorization" is not enforced on REST API users. Should an attacker send specially crafted API requests to a specific endpoint, they could exploit the vulnerability and allow an attacker to gain administrator-level control over edge nodes managed by Cisco Meeting Management.

The management system is vulnerable to the bug regardless of device configuration, according to the advisory. So, anyone using Cisco Meeting Management 3.9 or earlier would need to migrate to a supported version in order to fix the bug. Those with version 3.9 should upgrade to version 3.9.1; and those with version 3.10 remain unaffected. There are no workarounds to address the vulnerability.