Cisco has released software updates to address a critical security flaw affecting meeting management that could allow an authenticated remote attacker to gain administrative privileges in sensitive cases.
The vulnerability, tracked as CVE-2025-20156, has a CVSS score of 9.9 out of 10.0. This has been described as a privilege escalation flaw in the Cisco Meeting Management REST API.
“This vulnerability exists because proper authorization is not performed for REST API users,” the company said said in consultation on Wednesday. “An attacker could exploit this vulnerability by sending API requests to a specific endpoint.”
“A successful exploit could allow an attacker to gain administrator-level control over edge nodes managed by Cisco Meeting Management.”
The networking specialist credited Modux’s Ben Leonard-Lagarde for reporting the security flaw. This affects the following product versions regardless of device configuration –
- Cisco Meeting Management Release 3.9 (Fixed in 3.9.1)
- Cisco Meeting Management release 3.8 and earlier (Moving to fixed release_
- Cisco Meeting Management Release 3.10 (Not Vulnerable)
Cisco also released patches to address a denial-of-service (DoS) vulnerability affecting BroadWorks caused by incorrect memory handling for some Session Initiation Protocol (SIP) requests (CVE-2025-20165, CVSS score: 7.5) . The problem was fixed in version RI.2024.11.
“An attacker could exploit this vulnerability by sending a large number of SIP requests to an affected system,” it said. said.
“A successful exploit could allow an attacker to exhaust the memory that has been allocated by Cisco BroadWorks network servers that process SIP traffic. When memory is out, network servers can no longer process incoming requests, resulting in a DoS condition that requires manual intervention to recover from.”
Third vulnerability patched by Cisco CVE-2025-20128 (CVSS Score: 5.3), an integer constraint bug affecting the ClamAV Object Linking and Embedding 2 (OLE2) decryption routine, which can also lead to a DoS condition.
The company that credited Google with OSS-Fuzz for reporting the flaw said it was aware of the proof-of-concept (PoC) exploit code, although there is no evidence that it has been used maliciously in the wild.
CISA and FBI detail Ivanti exploit chain
News of Cisco’s flaws comes after U.S. government cybersecurity and law enforcement agencies released technical details in September 2024 of two exploit chains used by nation-state hacking teams to compromise cloud applications. of Ivanti services.
The vulnerabilities in question are as follows –
The attack sequences, according to the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), involved exploiting CVE-2024-8963 in combination with CVE-2024-8190 and CVE-2024-9380 in one case, and CVE-2024- 8963 and CVE-2024-9379 to another.
It should be noted that the first chain of exploits was opened Fortinet FortiGuard Labs in October 2024 In at least one instance, the threat actors are believed to have made a lateral move after gaining a foothold.
The second exploit chain was found to use CVE-2024-8963 in conjunction with CVE-2024-9379 to gain access to the target network, followed by failed attempts to implant web shells for persistence.
“Threat objects have exploited the listed vulnerabilities to gain initial access, perform remote code execution (RCE), obtain credentials, and deploy web shells on victim networks,” the agencies noted. said. “Credentials and sensitive data stored on compromised Ivanti appliances should be considered compromised.
